You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
During proxy-based authentication, the IP address contained in remoteIpHeader seems not verified with the list of internalProxies.
User can set any IP address, the request is authorized.
From my understanding, only the internalProxies list should be accepted.
It verifies the remoteIpHeader presence, the IP address format but not the address value.
Thanks for your feedback
Related component
Clients
To Reproduce
config.yml:
---
_meta:
type: "config"
config_version: 2
config:
dynamic:
http:
xff:
enabled: true
internalProxies: '192\.168\.176\.40' # regex pattern
remoteIpHeader: 'x-forwarded-for-dashboards'
authc:
proxy_auth_domain:
description: "Authenticate via proxy"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: proxy
challenge: false
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: kerberos
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
Opensearch should not authorize the request if remoteIpHeader value does not match internalProxies list
Additional Details
Plugins
Please list all plugins currently enabled.
Screenshots
If applicable, add screenshots to help explain your problem.
Host/Environment (please complete the following information):
OS: [Debian 11]
Version [Opensearch Dashboards 2.14, Opensearch 2.14]
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered:
simonelbaz
added
bug
Something isn't working
untriaged
Require the attention of the repository maintainers and may need to be prioritized
labels
Jun 7, 2024
// originalRemoteAddr need to be in the list of internalProxies
The XFF header comes into the picture in the Backend Registry here. The XFFResolver is responsible for getting the original IP Address of the request. For non-proxied requests that's the IP address of the web request, but for proxied requests it extracts that through the XFF header.
In your example, where are you sending the request from?
Describe the bug
Hi,
During
proxy-based
authentication, the IP address contained in remoteIpHeader seems not verified with the list of internalProxies.User can set any IP address, the request is authorized.
From my understanding, only the internalProxies list should be accepted.
It verifies the remoteIpHeader presence, the IP address format but not the address value.
Thanks for your feedback
Related component
Clients
To Reproduce
config.yml:
The curl command:
Result of the command:
Expected behavior
Opensearch should not authorize the request if
remoteIpHeader
value does not matchinternalProxies
listAdditional Details
Plugins
Please list all plugins currently enabled.
Screenshots
If applicable, add screenshots to help explain your problem.
Host/Environment (please complete the following information):
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: