-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question] Trusted hosts without trusted proxies is useless? #54
Comments
@dionysiosarvanitis, can you provide an example of why your application uses The only way host injection would happen in such a scenario is if you have a wildcard server name configured on your web server? |
The way I see it, there are 2 possible ways for host injection to happen:
This comment here also explains this in detail. Do you agree? |
I'm closing this issue as it does not seem to be a bug. Rather, I've documented a warning in the docs to warn against setting up wildcard server names. If you have any further questions, feel free to bump this thread. |
Taken from the apache documentation: "The first name-based vhost in the configuration file for a given IP:port pair is significant because it is used for all requests received on that address and port for which no other vhost for that IP:port pair has a matching ServerName or ServerAlias." So the first vhost definition may get vulnerable in host spoofing. |
Ahh, I see. I am not familiar with Apache. I am reopening this issue to investigate this further. Thanks for reporting this @dionysiosarvanitis. |
This is now fixed and clarified in the docs enlightn/enlightn-docs#18 here with guidance on how to setup a secure web server (both Nginx and Apache). |
In my case, where I've already set a catch all virtual host you're probably right when you say that is redundant. But you may consider others that don't have access to the server's configuration and uses code or Thanks a lot anyway! You've done really good job. I use your package in my Gitlab pipeline 👍 |
Yes @dionysiosarvanitis, we've actually improved the Wow, that's a cool pipeline! 😲 |
Yeah, since this is a rare case, I made a note of this in the unused middleware analyzer docs and kept the check as is. |
Versions
Description
Getting error "Your application contains global middleware that is not currently being used. [...] Your unused middleware include: [TrustHosts]".
Test assumes that you should not use
TrustHosts
without also usingTrustedProxy
. TrustHosts middleware calls theRequest::setTrustedHosts
. By looking into Symfony's Request class documentation I understand that it is related withHost
header and not withX-Forwarded-Host
header mentioned in the enlightn docs.Expected behavior:
Test to pass
Actual behavior:
Test fails
The text was updated successfully, but these errors were encountered: