Details
-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
3.0.0, 3.1.0, 3.2.0-beta1, 2.5.14
-
None
Description
platform.sh use "ngx_http_realip_module" nginx module, and put client IP into REMOTE_ADDR.
This makes it impossible to configure an application to be accessible from both with and without varnish. For example, serve a website by varnish and admin by nginx.
If you'll put REMOTE_ADDR in TRUSTED_PROXIES, admin panel will be open to ip address spoof using "x-forwarded-for" header.
And, user will be able to request your varnish invalidation token.
If you'll put other IP address, or don't specify TRUSTED_PROXIES at all, you'll receive "Unauthorized" from varnish (because of "/_ez_http_invalidatetoken" route checking "$request->isFromTrustedProxy()", which will return false).
Ideally, it should work in a way where developer can safely use
$request->getClientIp()
I'm not sure if this issue is reproducible on ezplatform cloud, but I assume it should be there too.
It looks like platform.sh is doing everything to emulate that request is coming from user directly, they even remove IPs from most CDNs.
PR: https://github.com/ezsystems/ezplatform-http-cache/pull/136