honour X-Forwarded-For header, and permissions on socket

Claudio Luck cluck at ethz.ch
Mon Mar 16 12:32:13 PDT 2015


It seems ocserv is considering connections over UNIX socket as coming 
from "localhost". This causes some erroneous decisions later in the 
code, as seen in the logs:

ocserv: added 1 points (total 1) for IP 'localhost' to ban list
ocserv: localhost error in getting TCP_MAXSEG: Operation not supported

I think ocserv should look for a 'X-Forwarded-For' header, and use the 
left-most IP address for routing decisions, and the right-most IP 
address as the client's original IP address.

This should be a configurable behavior that is off by default, as the 
header can be spoofed as long as the administrator does not take special 
precautions (i.e. protect ocserv from direct access).

Another issue with listen-clear-file is that the file-mode and 
permissions on the socket should be configurable. In my setup I see that 
both ocserv and haproxy strip their additional groups, making it 
impossible to tune group membership to solve this.


More information about the openconnect-devel mailing list