You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
disclaimer: I have not tried this yet to see the actual behavior so let me know if I am wrong
In checkIfRequestShouldBeProxied() we can see safeResolve is called on every allow. So if the host resolves to an internal IP it is going to get denied. It would be great if global_allow_list was honored even if the ip resolves to an internal address (either as default or by passing some flag)
My current workaround would be to just use --unsafe-allow-private-ranges when I only want to allow some dynamic ip for a known internal hostname
The text was updated successfully, but these errors were encountered:
In our use, we have global allow entries like, say, api.some-partner.com. Those domains and their DNS is externally controlled, and we do not want them to be able to resolve to an internal IP address. So the behaviour as-is today is required for our model.
We could plausibly add an option to have domains that are allowed, even if they resolve to an internal IP. I can see how that would be useful in some circumstances. I admit to being a bit worried about ballooning complexity, especially around what I view as one of our most important security guarantees of not allowing traffic to private IPs.
That totally makes sense. Our use case is that we have an internal login sever which is used to simulate user logins during a load test. Today the only way to allow the proxy to connect to this server would be by using --unsafe-allow-private-ranges which allows access to the entire internal network.
I think implementing a flag like --unsafe-allow-private-global-list would be better so that instead of allowing all the private ranges we only allow it for a specific enter like api.internal.app.com.
disclaimer: I have not tried this yet to see the actual behavior so let me know if I am wrong
In
checkIfRequestShouldBeProxied()
we can seesafeResolve
is called on everyallow
. So if the host resolves to an internal IP it is going to get denied. It would be great ifglobal_allow_list
was honored even if the ip resolves to an internal address (either as default or by passing some flag)My current workaround would be to just use
--unsafe-allow-private-ranges
when I only want to allow some dynamic ip for a known internal hostnameThe text was updated successfully, but these errors were encountered: