https://kotlinlang.org logo
#ktor
Title
# ktor
q

Quap

03/15/2023, 6:08 AM
Is there a way to reliably determine whether an incoming request is coming from a local connection? I want to make an admin panel that is accessible from the machine hosting the server only, but I see the warning about using call.request.local.remoteAddress...
a

Aleksei Tirman [JB]

03/15/2023, 6:48 AM
What warning do you see when using
call.request.local.remoteAddress
?
q

Quap

03/15/2023, 6:57 AM
From the docs here: https://api.ktor.io/ktor-http/io.ktor.http/-request-connection-point/index.html Client address. For io.ktor.application.ApplicationRequest.local instance could point to a proxy our application running behind. NEVER use it for user authentication as it can be easily falsified (user can simply set some HTTP headers such as X-Forwarded-Host so you should NEVER rely on it in any security checks). If you are going to use it to create a back-connection, please do it with care as an offender can easily use it to force you to connect to some host that is not intended to be connected to so that may cause serious consequences.
Is this only applicable when behind a proxy? I tested a bit sending X-Forwarded headers and couldn't see any problem
a

Aleksei Tirman [JB]

03/15/2023, 7:10 AM
It can be used without a proxy but it’s not safe to rely on that address.
q

Quap

03/15/2023, 7:20 AM
Well, I also don't have the ForwardedHeaders plugins installed also - so there should be zero risk I think? If someone tried to gain access to the system this way, the method would not work because the X-Forwarded headers would simply be disregarded - is this correct? Thanks for the replies btw, you have helped me before and I appreciate it!
5 Views