Hapi: How to handle x-forwarded-* headers from proxy?
Support plan
- which support plan is this issue covered by? (e.g. Community, Core, Plus, or Enterprise): Community
- is this issue currently blocking your project? (yes/no): yes
- is this issue affecting a production system? (yes/no): yes
Context
- node version: 12
- module version: 19.0.5
- environment (e.g. node, browser, native): node
- used with (e.g. hapi application, another framework, standalone, ...): hapi app
- any other relevant information:
How can we help?
request.info.remoteAddress wasn't populated from header X-Forwarded-For by default. How to correctly set up hapi to support X-Forwarded-* headers.
mahnunchik
All 4 comments
I don't think request.info.remoteAddress should be populated with X-Forwarded-For. The reason for this is:
request.info.remoteAddresshas always been underlying socket'sremoteAddressX-Forwarded-Forheader is not an official standard, different proxies handle it differentlyX-Forwarded-Foris often not the right place to look for true client IPX-Forwarded-Foris often not safe- same Hapi project may be deployed in many different environments, with different topologies where effective client IP should be determined differently.
That said, I think it would be helpful if Hapi provided configurable and "blessed" info.clientAddress property (or any other name really). Many 3rd party plugins (like rate limiters) need to know effective client IP and it's annoying to configure each of those plugins separately (oftentimes they don't even provide necessary configuration options).
With the recent changes req.info is supposed to be read-only (all of the documented properties have only getters). People still find their way around it though and do things like that:
I think there's a need for a single, canonical way of retrieving effective client IP for plugin authors and Hapi should provide a configuration that would let people define how this effective client IP should be determined in their deployment.
telendt
on 28 Feb 2020
It would be awesome to have some kind of request.info.clientAddress instead of hack like in https://github.com/soxhub/hapi-forwarded-for
mahnunchik
on 28 Feb 2020
The hapi-forwarded-for plugin shouldn't mess with hapi internals. Instead, it should decorate the request with a new property that contains the desired address. That said, this belongs in plugins, not the core framework.
hueniverse
on 14 Mar 2020
I think there's a need for a single, canonical way of retrieving effective client IP for plugin authors and Hapi should provide a configuration that would let people define how this effective client IP should be determined in their deployment.
mahnunchik
on 14 Mar 2020
Related issues
DrMabuse23
·
5Comments
andkazakov
·
5Comments
hbinduni
·
5Comments
kevinsimper
·
4Comments
AdriVanHoudt
·
5Comments
Most helpful comment
I don't think
request.info.remoteAddressshould be populated withX-Forwarded-For. The reason for this is:request.info.remoteAddresshas always been underlying socket'sremoteAddressX-Forwarded-Forheader is not an official standard, different proxies handle it differentlyX-Forwarded-Foris often not the right place to look for true client IPX-Forwarded-Foris often not safeThat said, I think it would be helpful if Hapi provided configurable and "blessed"
info.clientAddressproperty (or any other name really). Many 3rd party plugins (like rate limiters) need to know effective client IP and it's annoying to configure each of those plugins separately (oftentimes they don't even provide necessary configuration options).With the recent changes
req.infois supposed to be read-only (all of the documented properties have only getters). People still find their way around it though and do things like that:https://github.com/soxhub/hapi-forwarded-for/blob/dc5e499071ebc4efc0129f9330dd031ac1446b64/lib/index.js#L11
I think there's a need for a single, canonical way of retrieving effective client IP for plugin authors and Hapi should provide a configuration that would let people define how this effective client IP should be determined in their deployment.