You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
With some other Dockerized services I've worked with that are behind a reverse proxy (uvicorn behind caddy for example) there is an option to restrict what connections are trusted to take the X-Real-IP header from.
While in a reverse-proxy + Docker setup there isn't really a risk due to the container network isolation, other setups might be vulnerable to spoofed X-Real-IP headers bypassing rate limiting/fail2ban blocking.
I think this could be a worthwhile security improvement.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
With some other Dockerized services I've worked with that are behind a reverse proxy (uvicorn behind caddy for example) there is an option to restrict what connections are trusted to take the
X-Real-IPheader from.E.g. https://www.uvicorn.org/settings/#http
While in a reverse-proxy + Docker setup there isn't really a risk due to the container network isolation, other setups might be vulnerable to spoofed
X-Real-IPheaders bypassing rate limiting/fail2ban blocking.I think this could be a worthwhile security improvement.
Beta Was this translation helpful? Give feedback.
All reactions