radicle-httpd should respect HTTP Forward header
Currently radicle-httpd takes the connection address from the TCP stream, but to work behind a proxy it should respect the RFC 7239 Forward HTTP header.
Currently radicle-httpd takes the connection address from the TCP stream, but to work behind a proxy it should respect the RFC 7239 Forward HTTP header.
I don’t think anymore that this should be implemented.
radicle-httpdshould rather rely solely on an authenticated session when deciding to reply with potentially sensitive information, regardless of where the request originated. It is too easy to miss-configure this on public nodes and it anyhow opens up the httpd to spying from other users on personal nodes via 127.0.0.1, especially in multi-user environments.I leave this open to provide a justification as to why I think this is the wrong solution.
Hey spacefrogg,
We removed the ability in
radicle-httpdto take the connection address for any kind of authentication, and don’t serve any potentially sensitive information.Recommend closing this issue.