Skip to content

Commit

Permalink
Add a description about IP address spoofing (#27)
Browse files Browse the repository at this point in the history
  • Loading branch information
@vividtone
vividtone authored Aug 3, 2020
1 parent cdf58b5 commit 88c08d4
Showing 1 changed file with 13 additions and 0 deletions.
13 changes: 13 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,19 @@ Access source IP address, which is operating the Redmine management screen, must
$ git clone https://www.github.com/redmica/redmine_ip_filter.git /path/to/redmine/plugins/redmine_ip_filter
```

#### Preventing IP address spoofing

An attacker may be able to bypass access control done by this plugin if the Redmine server directly accepts HTTP requests from clients without a reverse proxy server or a load balancer (see https://api.rubyonrails.org/classes/ActionDispatch/RemoteIp.html for details).

To prevent such an attack, you have to drop `X-Forwarded-For` field from an HTTP request header if you don't use a reverse proxy server that adds `X-Forwarded-For` field.

It can be done by configuring the web server. For example, if you are using Apache, use the `RequestHeader` directive:

```
RequestHeader unset X-Forwarded-For
```


## Test

```
Expand Down

0 comments on commit 88c08d4

Please sign in to comment.