[Question] Trusted hosts without trusted proxies is useless?

[dionysiosarvanitis]

Versions

• PHP version: 8
• Laravel version: 8
• Enlightn version: latest

Description

Getting error "Your application contains global middleware that is not currently being used. [...] Your unused middleware include: [TrustHosts]".

Test assumes that you should not use TrustHosts without also using TrustedProxy. TrustHosts middleware calls the Request::setTrustedHosts. By looking into Symfony's Request class documentation I understand that it is related with Host header and not with X-Forwarded-Host header mentioned in the enlightn docs.

Expected behavior:

Test to pass

Actual behavior:

Test fails

[paras-malhotra]

@dionysiosarvanitis, can you provide an example of why your application uses TrustedHosts without TrustedProxies? I'm assuming it's not behind a load balancer or reverse proxy.

The only way host injection would happen in such a scenario is if you have a wildcard server name configured on your web server?

[paras-malhotra]

The way I see it, there are 2 possible ways for host injection to happen:

1. You have TrustProxies setup and the X-Forwarded-Host header is set to be "trusted" header. This is the primary risk because even if you have a secure web server setup (non-wildcard server name), host injection can still happen through the X-Forwarded-Host header if TrustHosts is not setup.
2. You don't have TrustProxies setup but you have a wildcard server name. This is the only way host injection can happen in this scenario. But it begs the question, why do you have a wildcard server name? With a secure web server setup, you don't really need the TrustHosts middleware.

This comment here also explains this in detail.

Do you agree?

[paras-malhotra]

I'm closing this issue as it does not seem to be a bug. Rather, I've documented a warning in the docs to warn against setting up wildcard server names.

If you have any further questions, feel free to bump this thread.

[dionysiosarvanitis]

Taken from the apache documentation:

"The first name-based vhost in the configuration file for a given IP:port pair is significant because it is used for all requests received on that address and port for which no other vhost for that IP:port pair has a matching ServerName or ServerAlias."

So the first vhost definition may get vulnerable in host spoofing.

[paras-malhotra]

Ahh, I see. I am not familiar with Apache. I am reopening this issue to investigate this further. Thanks for reporting this @dionysiosarvanitis.

[paras-malhotra]

This is now fixed and clarified in the docs enlightn/enlightn-docs#18 here with guidance on how to setup a secure web server (both Nginx and Apache). TrustHosts should still not be needed if TrustProxies is not used in the application.

[dionysiosarvanitis]

In my case, where I've already set a catch all virtual host you're probably right when you say that is redundant. But you may consider others that don't have access to the server's configuration and uses code or .htaccess to secure their app.

Thanks a lot anyway! You've done really good job. I use your package in my Gitlab pipeline 👍

[paras-malhotra]

Yes @dionysiosarvanitis, we've actually improved the HostInjectionAnalyzer thanks to you! 👍 Just released a new version of Enlightn Pro with the improvement. It now checks for both Host header injection and X-Forwarded-Host!

Wow, that's a cool pipeline! 😲

[paras-malhotra]

But you may consider others that don't have access to the server's configuration and uses code or .htaccess to secure their app.

Yeah, since this is a rare case, I made a note of this in the unused middleware analyzer docs and kept the check as is.