authelia/docs/content/en/integration/proxies/fowarded-headers/index.md

93 lines
4.9 KiB
Markdown
Raw Normal View History

---
title: "Forwarded Headers"
description: "An introduction into the importance of forwarded headers coming from trusted sources"
lead: "An introduction into the importance of forwarded headers coming from trusted sources."
2022-06-28 05:27:14 +00:00
date: 2022-06-15T17:51:47+10:00
draft: false
images: []
menu:
integration:
parent: "proxies"
weight: 312
toc: true
---
The`X-Forwarded-*` headers presented to __Authelia__ must be from trusted sources. As such you must ensure that the
reverse proxies and load balancers utilized with __Authelia__ are configured to remove and replace specific headers when
they come directly from clients and not from proxies in your trusted environment.
Some proxies require users explicitly configure the proxy to trust another proxy, however some implicitly trust all
headers regardless of the source so you will have to manually configure them.
## Network Rules
In particular this is important for [Access Control Rules](../../../configuration/security/access-control.md#rules) as
the [network criteria](../../../configuration/security/access-control.md#networks) relies on the [X-Forwarded-For]
header. This header is expected to have a true representation of the client's actual IP address.
If this is not removed from non-trusted proxies a user could theoretically hijack any rule that contains this criteria
to potentially skip an authentication criteria depending on how it is configured.
## Cloud Proxies
In addition to configuring your own proxies to remove this header from untrusted sources, when using a cloud proxy like
[Cloudflare](#cloudflare) you must ensure they do this or you configure a rule to do it. We aim to have documentation
in this section for cloud proxies that do this, but you should test this yourself and check the documentation for the
cloud proxy.
In addition to this it's important if you wish to preserve the clients actual IP address that you trust the IP addresses
of the cloud proxy in your on-premise proxies. If you don't do this most if not all proxies configured as per our guides
will remove the header and everyone external will appear to come from a proxies source IP address rather than their real
IP address in both logging and access control.
These same rules apply to any off-site hosted proxy or load balancing solution that alters the source IP address.
### Cloudflare
[Cloudflare] adds the [X-Forwarded-For] header if it does not exist, and if it does exist it will just append another IP
to it. This means a client can forge their remote IP address with the most widely accepted remote IP header out of the
box.
It is therefore important you configure [Cloudflare] to remove this IP address. *__Please Note:__ This is by no means an
exhaustive guide on using [Cloudflare] transform rules, however it's enough to configure a couple rules which should
achieve a secure result. Please see the [Cloudflare] documentation on
[transform rules](https://developers.cloudflare.com/rules/transform/) for more information._
refactor: merge master and fix missing rebinds (#4404) * build(deps): update module github.com/jackc/pgx/v5 to v5.1.0 (#4365) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * docs: add smkent as a contributor for code, design, and ideas (#4367) * update README.md * update .all-contributorsrc Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com> * build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. * refactor(cmd): restrict bootstrap pnpm tasks to dev environment (#4370) * build(deps): update alpine docker tag to v3.16.3 (#4362) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update module github.com/ory/x to v0.0.514 (#4368) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * refactor: sql formatting (#4371) * refactor: sql spacing * refactor editor config * docs: clarify cloudflare docs (#4373) * build(deps): update dependency @types/react-dom to v18.0.9 (#4379) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update typescript-eslint monorepo to v5.43.0 (#4380) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update dependency @types/jest to v29.2.3 (#4381) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update dependency esbuild to v0.15.14 (#4383) * build(deps): update material-ui monorepo to v5.10.14 (#4385) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update dependency vite to v3.2.4 (#4386) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update font awesome to v6.2.1 (#4389) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update dependency typescript to v4.9.3 (#4390) * docs: adjust issue templates (#4391) * docs: adjust issue templates * docs: adjust wording * build(deps): update dependency jest-watch-typeahead to v2.2.1 (#4392) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update dependency i18next to v22.0.6 (#4395) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update github.com/duosecurity/duo_api_golang digest to 091daa0 (#4396) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update traefik docker tag to v2.9.5 (#4398) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update module github.com/jackc/pgx/v5 to v5.1.1 (#4400) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update mariadb docker tag to v10.10.2 (#4399) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update dependency eslint-plugin-react to v7.31.11 (#4401) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update dependency eslint to v8.28.0 (#4402) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(storage): schema inconsistency (#4262) * fix: missing pg rebinds * fix: refactoring issues * fix: refactoring issues Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-11-19 06:42:03 +00:00
#### Steps
1. Click `Rules`.
2. Click `Transform Rules`.
3. Click `Create transform rules`.
4. Click `Modify Request Header`.
5. Set the `Rule name` to something appropriate like `Remove X-Forwarded-For Header`.
6. Set the `Field` option in the `When incoming requests match` section to an appropriate value (see criteria table
below).
7. Set the `Operator` option in the `When incoming requests match` section to an appropriate value (see criteria table
below).
8. Set the `Value` option in the `When incoming requests match` section to an appropriate value (see criteria table
below).
9. Set the `Then` section dropdown to `Remove`.
10. Set the `Then` section `Header name` to `X-Forwarded-For`.
11. Click `Save`.
{{< figure src="cloudflare_1.png" alt="Steps 1 to 4" width="736" >}}
{{< figure src="cloudflare_2.png" alt="Steps 5 to 11" width="736" >}}
refactor: merge master and fix missing rebinds (#4404) * build(deps): update module github.com/jackc/pgx/v5 to v5.1.0 (#4365) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * docs: add smkent as a contributor for code, design, and ideas (#4367) * update README.md * update .all-contributorsrc Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com> * build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. * refactor(cmd): restrict bootstrap pnpm tasks to dev environment (#4370) * build(deps): update alpine docker tag to v3.16.3 (#4362) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update module github.com/ory/x to v0.0.514 (#4368) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * refactor: sql formatting (#4371) * refactor: sql spacing * refactor editor config * docs: clarify cloudflare docs (#4373) * build(deps): update dependency @types/react-dom to v18.0.9 (#4379) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update typescript-eslint monorepo to v5.43.0 (#4380) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update dependency @types/jest to v29.2.3 (#4381) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update dependency esbuild to v0.15.14 (#4383) * build(deps): update material-ui monorepo to v5.10.14 (#4385) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update dependency vite to v3.2.4 (#4386) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update font awesome to v6.2.1 (#4389) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update dependency typescript to v4.9.3 (#4390) * docs: adjust issue templates (#4391) * docs: adjust issue templates * docs: adjust wording * build(deps): update dependency jest-watch-typeahead to v2.2.1 (#4392) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update dependency i18next to v22.0.6 (#4395) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update github.com/duosecurity/duo_api_golang digest to 091daa0 (#4396) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update traefik docker tag to v2.9.5 (#4398) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update module github.com/jackc/pgx/v5 to v5.1.1 (#4400) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update mariadb docker tag to v10.10.2 (#4399) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update dependency eslint-plugin-react to v7.31.11 (#4401) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update dependency eslint to v8.28.0 (#4402) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(storage): schema inconsistency (#4262) * fix: missing pg rebinds * fix: refactoring issues * fix: refactoring issues Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-11-19 06:42:03 +00:00
#### Criteria
This table describes the criteria needed to achieve a desired result. Only one of these options should be chosen. You
Should look at the desired result column and apply the appropriate field, operator, and value to [step](#steps) 8.
Generally speaking the `Always Remove` option is the correct option.
| Desired Result | Field | Operator | Value |
|:-----------------------------------:|:-----------------:|:--------------:|:----------------------------------:|
| Always Remove | X-Forwarded-For | does not equal | *blank* |
| Remove When Not From Trusted Source | IP Source Address | is not in | *list of trusted source addresses* |
Cloudflare publishes its IP address ranges publicly at the easy to remember address
[https://www.cloudflare.com/ips/](https://www.cloudflare.com/ips/). You should use this with the trusted proxies section
of your relevant proxy to ensure it's trusted if you intend to use Cloudflare.
[X-Forwarded-For]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
[Cloudflare]: https://www.cloudflare.com