honour X-Forwarded-For header, and permissions on socket
Claudio Luck
cluck at ethz.ch
Mon Mar 16 12:32:13 PDT 2015
Hi,
It seems ocserv is considering connections over UNIX socket as coming
from "localhost". This causes some erroneous decisions later in the
code, as seen in the logs:
...
ocserv: added 1 points (total 1) for IP 'localhost' to ban list
ocserv: localhost error in getting TCP_MAXSEG: Operation not supported
...
I think ocserv should look for a 'X-Forwarded-For' header, and use the
left-most IP address for routing decisions, and the right-most IP
address as the client's original IP address.
This should be a configurable behavior that is off by default, as the
header can be spoofed as long as the administrator does not take special
precautions (i.e. protect ocserv from direct access).
Another issue with listen-clear-file is that the file-mode and
permissions on the socket should be configurable. In my setup I see that
both ocserv and haproxy strip their additional groups, making it
impossible to tune group membership to solve this.
Regards,
Claudio
More information about the openconnect-devel
mailing list