Hapi: How to handle x-forwarded-* headers from proxy?

Created on 26 Feb 2020  ·  4Comments  ·  Source: hapijs/hapi

Support plan

  • which support plan is this issue covered by? (e.g. Community, Core, Plus, or Enterprise): Community
  • is this issue currently blocking your project? (yes/no): yes
  • is this issue affecting a production system? (yes/no): yes

Context

  • node version: 12
  • module version: 19.0.5
  • environment (e.g. node, browser, native): node
  • used with (e.g. hapi application, another framework, standalone, ...): hapi app
  • any other relevant information:

How can we help?

request.info.remoteAddress wasn't populated from header X-Forwarded-For by default. How to correctly set up hapi to support X-Forwarded-* headers.

support

Most helpful comment

I don't think request.info.remoteAddress should be populated with X-Forwarded-For. The reason for this is:

  • request.info.remoteAddress has always been underlying socket's remoteAddress
  • X-Forwarded-For header is not an official standard, different proxies handle it differently
  • X-Forwarded-For is often not the right place to look for true client IP
  • X-Forwarded-For is often not safe
  • same Hapi project may be deployed in many different environments, with different topologies where effective client IP should be determined differently.

That said, I think it would be helpful if Hapi provided configurable and "blessed" info.clientAddress property (or any other name really). Many 3rd party plugins (like rate limiters) need to know effective client IP and it's annoying to configure each of those plugins separately (oftentimes they don't even provide necessary configuration options).

With the recent changes req.info is supposed to be read-only (all of the documented properties have only getters). People still find their way around it though and do things like that:

https://github.com/soxhub/hapi-forwarded-for/blob/dc5e499071ebc4efc0129f9330dd031ac1446b64/lib/index.js#L11

I think there's a need for a single, canonical way of retrieving effective client IP for plugin authors and Hapi should provide a configuration that would let people define how this effective client IP should be determined in their deployment.

All 4 comments

I don't think request.info.remoteAddress should be populated with X-Forwarded-For. The reason for this is:

  • request.info.remoteAddress has always been underlying socket's remoteAddress
  • X-Forwarded-For header is not an official standard, different proxies handle it differently
  • X-Forwarded-For is often not the right place to look for true client IP
  • X-Forwarded-For is often not safe
  • same Hapi project may be deployed in many different environments, with different topologies where effective client IP should be determined differently.

That said, I think it would be helpful if Hapi provided configurable and "blessed" info.clientAddress property (or any other name really). Many 3rd party plugins (like rate limiters) need to know effective client IP and it's annoying to configure each of those plugins separately (oftentimes they don't even provide necessary configuration options).

With the recent changes req.info is supposed to be read-only (all of the documented properties have only getters). People still find their way around it though and do things like that:

https://github.com/soxhub/hapi-forwarded-for/blob/dc5e499071ebc4efc0129f9330dd031ac1446b64/lib/index.js#L11

I think there's a need for a single, canonical way of retrieving effective client IP for plugin authors and Hapi should provide a configuration that would let people define how this effective client IP should be determined in their deployment.

It would be awesome to have some kind of request.info.clientAddress instead of hack like in https://github.com/soxhub/hapi-forwarded-for

The hapi-forwarded-for plugin shouldn't mess with hapi internals. Instead, it should decorate the request with a new property that contains the desired address. That said, this belongs in plugins, not the core framework.

I think there's a need for a single, canonical way of retrieving effective client IP for plugin authors and Hapi should provide a configuration that would let people define how this effective client IP should be determined in their deployment.

Was this page helpful?
0 / 5 - 0 ratings