Skip to content

Remove Cloudflare and X-Forwarded-* headers in piped-proxy #110

New issue
New issue
Open
Open
Remove Cloudflare and X-Forwarded-* headers in piped-proxy#110
@ornate-lemon-horse

Description

@ornate-lemon-horse
ornate-lemon-horse
opened on Oct 31, 2023

Currently, when set up using the AIO docker config, the CF-Connecting-IP and X-Forwarded-For headers are removed by both nginx [1] and Caddy [2] (I was unable to to determine if this is done for Kubernetes as well) for requests it sends to piped-proxy. However, this protection is incomplete:

  1. There is a list of additional CF-* headers as well as X-Forwarded-Proto, True-Client-IP and CDN-Loop in Cloudflare's documentation [3] that can identify the request as not coming directly from a client device.
  2. The default behavior for both Caddy [4] and nginx [5] is for all headers to be passed when proxying the request, with some exceptions, and the AIO docker config does not turn these off. (I am not familiar with Kubernetes so I can't tell if the provided config is doing the same)
  3. Caddy itself will set X-Forwarded-Proto and X-Forwarded-Host along with X-Forwarded-For when it proxies the request [4] unless those headers are manually removed.
  4. It doesn't appear like any configs are doing this currently, but the Forwarded header will contain the same information as the X-Forwarded-* ones if it is added by whatever load balancer/reverse proxy is in use.

Based on this, I'm thinking if it might be better to strip these headers in piped-proxy instead of relying on the Docker AIO config or custom load balancer solution to do it.

The current list at the time of this writing seems to be:

  • CF-Connecting-IP
  • CF-Connecting-IPv6
  • CF-EW-Via
  • CF-Pseudo-IPv4
  • True-Client-IP
  • CF-RAY
  • CF-IPCountry
  • CF-Visitor
  • CDN-Loop
  • CF-Worker
  • X-Forwarded-For
  • X-Forwarded-Proto
  • X-Forwarded-Host

[1] https://github.com/TeamPiped/Piped-Docker/blob/main/template/ytproxy.conf#L3
[2] https://github.com/TeamPiped/Piped-Docker/blob/main/template/Caddyfile#L41
[3] https://developers.cloudflare.com/fundamentals/reference/http-request-headers/
[4] https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#defaults
[5] https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_request_headers and note the default setting is on

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions