Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wrong Forwarded header when original X-Forwarded-For is an IPv6 #3643

Closed
ZIRAKrezovic opened this issue Dec 16, 2024 · 3 comments
Closed

Wrong Forwarded header when original X-Forwarded-For is an IPv6 #3643

ZIRAKrezovic opened this issue Dec 16, 2024 · 3 comments

Comments

@ZIRAKrezovic
Copy link

When X-Forwarded-For contains an IPv6 and server.forward-headers-strategy is set to framework, Gateway will pass an incorrect Forwarded header to downstream, as shown in the picture - resulting in an exception being thrown in services that also set server.forward-headers-strategy=framework

{AD2BBAF6-2319-4826-8640-131589522AD1}

I have narrowed down issue to spring-cloud-gateway, as nothing else seems to add Forwarded header. I have prepared a reproducer that demonstrates this using IPv6 only haproxy and docker

https://github.com/ZIRAKrezovic/gateway-reproducer.git

There is a single test that starts 3 containers and uses ipv6 only to communicate, up to returning back to host (gateway) on 8080. Make sure to adjust the port in haproxy.cfg and application.properties if they should be changed.

The test contains a commented out direct entry to its own "/test" REST resource, and a call that causes the issue to "/testgateway", that simply routes back to itself and rewrites the path to "/test"

@ZIRAKrezovic
Copy link
Author

I can also reproduce this by using WebClient. Example has been updated.

import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.test.web.reactive.server.WebTestClient;

@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.DEFINED_PORT)
class DemoApplicationSimpleTests {
    @Autowired
    private WebTestClient webClient;

    @Test
    void contextLoads() {
        webClient.get()
                // working url, bypasses gateway
                //.uri("/test")
                .uri("/testgateway")
                .header("X-Forwarded-For", "fd00:fefe:1::4")
                .exchange()
                .expectStatus()
                .isOk();
    }
}

@bclozel
Copy link
Contributor

bclozel commented Jan 13, 2025

@ZIRAKrezovic according to the RFC, this is an invalid "X-Forwarded-For" value. The IPv6 address needs to be enclosed, like [fd00:fefe:1::4].

@ZIRAKrezovic
Copy link
Author

ZIRAKrezovic commented Jan 13, 2025

@bclozel - this is just a typo from my end - framework seems to handle IPv6 both with and without surrounding [] in X-Forwarded.

Situation is still the same if there is no "X-Forwarded", i.e. if you use native ipv6.

Edit: I will contact haproxy about missing brackets - other issue is still relevant.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants