Sockopt config: Add trustedXForwardedFor (for XHTTP, WS, HU inbounds)
#5331
+119
−67
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #5101 (comment)
如上链接所述,XHTTP、WS、HU 这三个入站有一个问题是默认读取请求方 HTTP 头内的 X-Forwarded-For 并覆写 SourceIP
原意是获取请求方的真实 IP,因为 CDN 默认会加它,还有 Nginx 等 HTTP 反代软件需要自己配置
但如果前面没有任何一个可信任的源加了它,比如 REALITY 直连,则由于它的优先级最高,请求方可以伪造自己的 IP 地址
sockopt的trustedXForwardedFor是一个数组,若其中任一存在于 req headers 中才会信任,若不设置则还是以前的行为比如设置
"trustedXForwardedFor": ["ABCDEF", "XYZ"],req headers 中需存在 ABCDEF 或 XYZ 这两个键任一,值无所谓一般来说 CDN 都可以自己设置加请求头,Nginx 更可以,这些都是服务端秘密,客户端猜不到,从而防止了客户端伪造 IP
对于又有 CDN 又有 Nginx 又有直连,建议 Nginx 到 Xray-core 用 PROXY protocol 传递真实 IP,而不是把 CDN 的 XFF 顶掉