XFF headers supported in OJS 2.4.x

radjr · April 25, 2017, 7:49pm

I am looking to determine if OJS 2.4x supports XFF headers for access to OJS? Details located here: X-Forwarded-For - Wikipedia

Thanks!

ctgraham · April 25, 2017, 7:56pm

X-Forwarded-For is optionally used for identifying the source of requests.

github.com

pkp/ojs/blob/ojs-stable-2_4_8/config.TEMPLATE.inc.php#L93-L96


; Allow the X_FORWARDED_FOR header to override the REMOTE_ADDR as the source IP
; Set this to "On" if you are behind a reverse proxy and you control the X_FORWARDED_FOR
; Warning: This defaults to "On" if unset for backwards compatibility.
trust_x_forwarded_for = Off

What is your particular use case?

radjr · April 25, 2017, 8:31pm

Thanks Curtis, I just stumbled across this in the config file. Here are the questions please.

Do XFF headers work?
Is there a security issue setting trust_x_forwarded_for = on ??
The default statement of “on” seems inaccurate for 2.4.x installs as we did not know it was there.
Does enabling it break something else?
Is there a way to be emailed when someone access the system via this mode?
Our section of config.

; Allow the X_FORWARDED_FOR header to override the REMOTE_ADDR as the source IP
; Set this to “On” if you are behind a reverse proxy and you control the X_FORWARDED_FOR
; Warning: This defaults to “On” if unset for backwards compatibility.
trust_x_forwarded_for = Off

Many Thanks!
radjr

ctgraham · April 26, 2017, 12:08pm

If a client connects to OJS and providers an X-Forwarded-For header, the config.inc.php setting
trust_x_forwarded_for will determine whether or not the client is coming “from” the IP indicated by the X-Forwarded-For header, or “from” the remote IP offering the X-Forwarded-For header. This happens at a very basic level, so it should affect things like internal logging, institutional subscription authentication, session verification, etc.

X-Forwarded-For headers are typically a function of a proxy, so whether or not to trust them largely depends on whether or not you trust the proxy.

The config.inc.php which ships with OJS enables this directive, and sets the directive to “Off”. You can explicitly turn “On” this directive, at your option. If the config.inc.php file does not have this directive, or if the directive is commented out, the default action for legacy purposes is “On”. Only when the directive is present and is set of “Off” is the X-Forwarded-For header not used.

There is nothing in place to send an email regarding clients connecting with an X-Forwarded-For header. If you want to describe your use case in more detail, we could suggest where you might need to look in the code to make changes.

radjr · April 26, 2017, 1:29pm

Thanks. My concern was based around spoofed headers, people effective spoofing a header to gain access to the OJS system and around the authentication system. Will think about the email issue and respond. It was really for debugging purposes. Thank you!

radjr · April 26, 2017, 9:52pm

Followup. Changing this system allowed the reader to access the journal with XFF headers. The are Zscaler to as an external cloud based firewall. So I bet many other journals are going to start seeing this.

radjr · April 27, 2017, 4:20pm

Still looking for anybody’s thoughts on the security aspects of accepting XFF headers. Thanks!