Remove the new trustedproxy logic from client ip parsing #2809
Comments
|
@montanaflynn engine.SetTrustedProxies(nil) |
|
That method doesn't exist in Gin 1.7.3 version. |
|
Oh, Gin 1.7.3 doesn't bundle the latest master codes. |
|
Set engine := gin.Default()
engine.TrustedProxies = nil
// ...
engine.Run(":8080") |
|
I'm not using Here's an example, this is very common, please also see #2697 package main
import (
"fmt"
"log"
"net/http"
"github.com/gin-gonic/gin"
)
func main() {
router := gin.New()
fmt.Println(gin.Version)
server := &http.Server{
Addr: ":8080",
Handler: router,
}
router.GET("/", func(c *gin.Context) {
c.String(200, c.ClientIP())
})
err := server.ListenAndServe()
if err != nil {
log.Fatal(err)
}
} |
|
IMHO The TrustedProxy logic should honestly be turned off by default; there is not a good reason I can think of - feel free to provide your own and explain it to change my mind if you like - to turn it on by default in an unconfigured and non-functional state, and the speed difference after turning it off is noticeable in my tests enough that turning it off looks like something that can actually save you money on FaaS environment deploys. |
|
This isn't a great experience as the warning happens from the demo code in the README and the link in the warning redirects to the readme without any specific info [GIN-debug] [WARNING] Creating an Engine instance with the Logger and Recovery middleware already attached.
[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
- using env: export GIN_MODE=release
- using code: gin.SetMode(gin.ReleaseMode)
[GIN-debug] GET /ping --> main.main.func1 (3 handlers)
[GIN-debug] [WARNING] You trusted all proxies, this is NOT safe. We recommend you to set a value.
Please check https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies for details. |
|
Hey, I wanted to know if there's been an update on this as of late? I'm aware of how to disable when using Run(), but is there a way outside of this solution? |
The perfect solution 💕Issue: Gin by default does not allow all requests to access the server for security reasons Solution: If you are using the Golang Gin framework and receiving the warning “you trusted all proxies this is not safe. we recommend you to set a value”, it means that your application is currently configured to trust all incoming proxy requests, which can be a security risk. To fix this issue, you should update your Gin configuration to specify the IP addresses or networks of trusted proxy servers. This can be done by setting the TrustedProxies property in your Gin router Solution in code: In the example above, we are specifying two trusted proxy server IP addresses (192.168.1.2 and any IP address within the 10.0.0.0/8 network). You should replace these values with the appropriate IP addresses or network ranges for your own environment. Once you have updated your Gin configuration, you should no longer see the warning message, and your application will be more secure against potential proxy-based attacks. |
I'm sorry but this is not the perfect solution. I think many of us handle this kind of security somewhere else. And even if you do not I think @duaneking makes some excellent points why this standard behaviour should be changed. |
|
As somebody with professional experience in cyber security, I can totally understand the desire to be able to limit to a close set of trusted IP ranges. The problem here is that this "feature" makes security actively worse, while it creates additional costs for the business. Setting nil to turn it off should be the default. Then, when people are doing deployment, they can enable it as they need to. The fact that a system can run without this feature turned on perfectly fine, faster, in a fully secure way, shows that this feature is simply dead code bloat for most people. I think it's really happening here is that this feature was added because of a social situation not because of an engineering requirement; I would like to formally request that this feature be turned off by default, simply because it's hosting specific, and I feel it's unfair for everybody not using those hosting platforms that require this for it to be enabled by default as I would consider it to be a bug. |
Yeah, I understand the point, but the solution is just to remove DEBUG print by gin, of course, you can set it to 0.0.0.0 for public access and alter it in the nginx ... or whatever service/tech stack you are using. 😉 |
|
I have not tested this myself, but somewhere here in the comments somebody said it makes a difference in speed. And that check should just not run if the user did not set it.
Get BlueMail for Android
…On Oct 12, 2023, 19:35, at 19:35, Swaraj Kumar Singh ***@***.***> wrote:
> > # The perfect solution 💕
> > **Issue:** Gin by default does not allow all requests to access the
server for security reasons
> > **Solution:** If you are using the Golang Gin framework and
receiving the warning “you trusted all proxies this is not safe. we
recommend you to set a value”, it means that your application is
currently configured to trust all incoming proxy requests, which can be
a security risk.
> > To fix this issue, you should update your Gin configuration to
specify the IP addresses or networks of trusted proxy servers. This can
be done by setting the TrustedProxies property in your Gin router
> > **Solution in code:**
> > ```
> > r := gin.Default()
> > r.ForwardedByClientIP = true
> > r.SetTrustedProxies([]string{"127.0.0.1", "192.168.1.2",
"10.0.0.0/8"})
> > ```
> >
> >
> > In the example above, we are specifying two trusted proxy server IP
addresses (192.168.1.2 and any IP address within the 10.0.0.0/8
network). You should replace these values with the appropriate IP
addresses or network ranges for your own environment.
> > Once you have updated your Gin configuration, you should no longer
see the warning message, and your application will be more secure
against potential proxy-based attacks.
>
> I'm sorry but this is not the perfect solution. I think many of us
handle this kind of security somewhere else. And even if you do not I
think @duaneking makes some excellent points why this standard
behaviour should be changed.
Yeah, I understand the point, but the solution is just to remove DEBUG
print by gin, of course, you can set it to 0.0.0.0 for public access
and alter it in the nginx ... or whatever service/tech stack you are
using. 😉
--
Reply to this email directly or view it on GitHub:
#2809 (comment)
You are receiving this because you commented.
Message ID: ***@***.***>
|
|
The link is now broken, i.e. there's no readme info corresponding to: |
It was apparently moved from the readme.md file to a docs/doc.md file at #3449 |
Description
We really need a way to disable this and go back to the original logic of trusting proxies. My stuff is behind cloudfront, I trust their proxies but don't have a list of all the IP addresses. Now I don't get the real client IPs. This broke a lot of our downstream logs and analytics.
How about a simple bool to go back to original logic?
DisableTrustedProxyChecking: falseRelated: #2697 #2723 #2791
The text was updated successfully, but these errors were encountered: