Description
We really need a way to disable this and go back to the original logic of trusting proxies. My stuff is behind cloudfront, I trust their proxies but don't have a list of all the IP addresses. Now I don't get the real client IPs. This broke a lot of our downstream logs and analytics.
How about a simple bool to go back to original logic?
DisableTrustedProxyChecking: false
Related: #2697 #2723 #2791
Comment From: zihengCat
@montanaflynn
Just set TrustedProxies to nil using new SetTrustedProxies API in Gin 1.7.3 version :)
engine.SetTrustedProxies(nil)
Comment From: montanaflynn
That method doesn't exist in Gin 1.7.3 version.
Comment From: zihengCat
Oh, Gin 1.7.3 doesn't bundle the latest master codes.
Comment From: zihengCat
Set TrustedProxies to nil manually before running the application.
engine := gin.Default()
engine.TrustedProxies = nil
// ...
engine.Run(":8080")
Comment From: montanaflynn
I'm not using engine.Run so that won't work either.
Here's an example, this is very common, please also see https://github.com/gin-gonic/gin/issues/2697
package main
import (
"fmt"
"log"
"net/http"
"github.com/gin-gonic/gin"
)
func main() {
router := gin.New()
fmt.Println(gin.Version)
server := &http.Server{
Addr: ":8080",
Handler: router,
}
router.GET("/", func(c *gin.Context) {
c.String(200, c.ClientIP())
})
err := server.ListenAndServe()
if err != nil {
log.Fatal(err)
}
}
Comment From: duaneking
IMHO The TrustedProxy logic should honestly be turned off by default; there is not a good reason I can think of - feel free to provide your own and explain it to change my mind if you like - to turn it on by default in an unconfigured and non-functional state, and the speed difference after turning it off is noticeable in my tests enough that turning it off looks like something that can actually save you money on FaaS environment deploys.
Comment From: dominictobias
This isn't a great experience as the warning happens from the demo code in the README and the link in the warning redirects to the readme without any specific info
[GIN-debug] [WARNING] Creating an Engine instance with the Logger and Recovery middleware already attached.
[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
- using env: export GIN_MODE=release
- using code: gin.SetMode(gin.ReleaseMode)
[GIN-debug] GET /ping --> main.main.func1 (3 handlers)
[GIN-debug] [WARNING] You trusted all proxies, this is NOT safe. We recommend you to set a value.
Please check https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies for details.
Comment From: koalazub
Hey, I wanted to know if there's been an update on this as of late?
I'm aware of how to disable when using Run(), but is there a way outside of this solution?
Comment From: swarajkumarsingh
The perfect solution 💕
Issue: Gin by default does not allow all requests to access the server for security reasons
Solution: If you are using the Golang Gin framework and receiving the warning “you trusted all proxies this is not safe. we recommend you to set a value”, it means that your application is currently configured to trust all incoming proxy requests, which can be a security risk.
To fix this issue, you should update your Gin configuration to specify the IP addresses or networks of trusted proxy servers. This can be done by setting the TrustedProxies property in your Gin router
Solution in code:
r := gin.Default()
r.ForwardedByClientIP = true
r.SetTrustedProxies([]string{"127.0.0.1", "192.168.1.2", "10.0.0.0/8"})
In the example above, we are specifying two trusted proxy server IP addresses (192.168.1.2 and any IP address within the 10.0.0.0/8 network). You should replace these values with the appropriate IP addresses or network ranges for your own environment.
Once you have updated your Gin configuration, you should no longer see the warning message, and your application will be more secure against potential proxy-based attacks.
Comment From: uranderu
The perfect solution 💕
Issue: Gin by default does not allow all requests to access the server for security reasons
Solution: If you are using the Golang Gin framework and receiving the warning “you trusted all proxies this is not safe. we recommend you to set a value”, it means that your application is currently configured to trust all incoming proxy requests, which can be a security risk.
To fix this issue, you should update your Gin configuration to specify the IP addresses or networks of trusted proxy servers. This can be done by setting the TrustedProxies property in your Gin router
Solution in code:
r := gin.Default() r.ForwardedByClientIP = true r.SetTrustedProxies([]string{"127.0.0.1", "192.168.1.2", "10.0.0.0/8"})In the example above, we are specifying two trusted proxy server IP addresses (192.168.1.2 and any IP address within the 10.0.0.0/8 network). You should replace these values with the appropriate IP addresses or network ranges for your own environment.
Once you have updated your Gin configuration, you should no longer see the warning message, and your application will be more secure against potential proxy-based attacks.
I'm sorry but this is not the perfect solution. I think many of us handle this kind of security somewhere else. And even if you do not I think @duaneking makes some excellent points why this standard behaviour should be changed.
Comment From: duaneking
As somebody with professional experience in cyber security, I can totally understand the desire to be able to limit to a close set of trusted IP ranges.
The problem here is that this "feature" makes security actively worse, while it creates additional costs for the business.
Setting nil to turn it off should be the default. Then, when people are doing deployment, they can enable it as they need to.
The fact that a system can run without this feature turned on perfectly fine, faster, in a fully secure way, shows that this feature is simply dead code bloat for most people.
I think it's really happening here is that this feature was added because of a social situation not because of an engineering requirement; I would like to formally request that this feature be turned off by default, simply because it's hosting specific, and I feel it's unfair for everybody not using those hosting platforms that require this for it to be enabled by default as I would consider it to be a bug.
Comment From: swarajkumarsingh
The perfect solution 💕
Issue: Gin by default does not allow all requests to access the server for security reasons Solution: If you are using the Golang Gin framework and receiving the warning “you trusted all proxies this is not safe. we recommend you to set a value”, it means that your application is currently configured to trust all incoming proxy requests, which can be a security risk. To fix this issue, you should update your Gin configuration to specify the IP addresses or networks of trusted proxy servers. This can be done by setting the TrustedProxies property in your Gin router Solution in code:
r := gin.Default() r.ForwardedByClientIP = true r.SetTrustedProxies([]string{"127.0.0.1", "192.168.1.2", "10.0.0.0/8"})In the example above, we are specifying two trusted proxy server IP addresses (192.168.1.2 and any IP address within the 10.0.0.0/8 network). You should replace these values with the appropriate IP addresses or network ranges for your own environment. Once you have updated your Gin configuration, you should no longer see the warning message, and your application will be more secure against potential proxy-based attacks.
I'm sorry but this is not the perfect solution. I think many of us handle this kind of security somewhere else. And even if you do not I think @duaneking makes some excellent points why this standard behaviour should be changed.
Yeah, I understand the point, but the solution is just to remove DEBUG print by gin, of course, you can set it to 0.0.0.0 for public access and alter it in the nginx ... or whatever service/tech stack you are using. 😉
Comment From: uranderu
I have not tested this myself, but somewhere here in the comments somebody said it makes a difference in speed. And that check should just not run if the user did not set it.
Get BlueMail for Android
On Oct 12, 2023, 19:35, at 19:35, Swaraj Kumar Singh @.***> wrote:
The perfect solution 💕
Issue: Gin by default does not allow all requests to access the server for security reasons Solution: If you are using the Golang Gin framework and receiving the warning “you trusted all proxies this is not safe. we recommend you to set a value”, it means that your application is currently configured to trust all incoming proxy requests, which can be a security risk. To fix this issue, you should update your Gin configuration to specify the IP addresses or networks of trusted proxy servers. This can be done by setting the TrustedProxies property in your Gin router Solution in code:
r := gin.Default() r.ForwardedByClientIP = true r.SetTrustedProxies([]string{"127.0.0.1", "192.168.1.2", "10.0.0.0/8"})In the example above, we are specifying two trusted proxy server IP addresses (192.168.1.2 and any IP address within the 10.0.0.0/8 network). You should replace these values with the appropriate IP addresses or network ranges for your own environment. Once you have updated your Gin configuration, you should no longer see the warning message, and your application will be more secure against potential proxy-based attacks.
I'm sorry but this is not the perfect solution. I think many of us handle this kind of security somewhere else. And even if you do not I think @duaneking makes some excellent points why this standard behaviour should be changed.
Yeah, I understand the point, but the solution is just to remove DEBUG print by gin, of course, you can set it to 0.0.0.0 for public access and alter it in the nginx ... or whatever service/tech stack you are using. 😉
-- Reply to this email directly or view it on GitHub: https://github.com/gin-gonic/gin/issues/2809#issuecomment-1760060730 You are receiving this because you commented.
Message ID: @.***>
Comment From: twocs
The link is now broken, i.e. there's no readme info corresponding to: https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies
Comment From: Leinadium
The link is now broken, i.e. there's no readme info corresponding to: https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies
It was apparently moved from the readme.md file to a docs/doc.md file at #3449
Comment From: pva
The link is now broken, i.e. there's no readme info corresponding to: https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies
It was apparently moved from the readme.md file to a docs/doc.md file at #3449
Yes, but the debug statement now points to a nonexistent place, and this is a bug by itself.