[Security Risk] The X-Forwarded-* and Forwarded headers will be considered when determining the proxy address.

[Tim-Schwalbe]

Can someone explain this to me?
When I start keycloak in kubernetes behind an NGINX with real IP enabled I get the following warning:

The X-Forwarded-* and Forwarded headers will be considered when determining the proxy address. This configuration can cause a security issue as clients can forge requests and send a forwarded header that is not overwritten by the proxy. Please consider use one of these headers just to forward the proxy address in requests.

I set the logging to debug to have compliance for one of my clients with the event feature: DEBUG [org.keycloak.events]

Where is the the security risk here and can this even be set to be overwritten when I want this compliance feature?

[darius-m]

I think it simply implies that Keycloak may trust either of the headers and the reverse proxy must be sure to override all X-Forwarded-* headers and the Forwarded header before sending the request to the backend, to ensure that the headers are not forged by malicious clients. These headers are used to log (and possibly filter based on the) requests' IP addresses, and as such it may be an issue if they are spoofed.

Some of them are lists of IPs. By default, in the case of X-Forwarded-For, each reverse proxy will add an IP to the list (i.e., if you have two reverse proxies between the client and the backend, you will have the client's IP and the address of the first reverse proxy in the list). Because of this, if you know you only have a single reverse proxy in between clients and the backend, you may want to set proxy_set_header X-Forwarded-For $remote_addr; in the nginx configuration, since the default proxy_add_x_forwarded_for setting appends to the existing list, which may be spoofed. I may be slightly wrong about this detail, but that's what I understood from reading in the docs.

[Sieboldianus]

I added $remote_addr; to the nginx config and then used bin/kc.[sh|bat] start --proxy-headers forwarded, but I still see this in the keycloak logs:

The X-Forwarded-* and Forwarded headers will be considered when determining the proxy address. This configuration can cause a security issue as clients can forge requests and send a forwarded header that is not overwritten by the proxy. Please consider use one of these headers just to forward the proxy address in requests.

[Tim-Schwalbe]

@Sieboldianus Can you show me the config? Did you set it in the values.yaml?

[Tim-Schwalbe]

I tried it like this and the warning still appears:

    nginx.ingress.kubernetes.io/configuration-snippet: |   
      proxy_set_header X-Forwarded-For $remote_addr;

[sschu]

@Sieboldianus If the warning still appears despite setting --proxy-headers forwarded, I assume this is a bug.

[Sieboldianus]

I will check again and report asap. I had to remove --proxy-headers forwarded as I noticed a bit later that some sites (account console) were not loading. So maybe this was just a caching situation and the parameter did not work properly. Thank you for looking into this & the inquiry!