CommandBox has always activated the Undertow feature out-of-the-box to look for a proxy peer address header and use it if it exists to set the source IP. However, this presents a security concern if the CommandBox server is NOT behind a proxy which always sets this header as it allows a bad actor to set their own header claiming the request is from localhost or some other trusted IP.
So, for security purposes, let's leave this off by default and update the docs to instruct ONLY people running CommandBox behind a proxy which always sets this header to re-enable the setting. This will made the default lockdown rules blocking external access to the CF admins more trustworthy.
This will be a breaking behavior for people behind a proxy. I’m only changing it in a minor release since it’s been pointed out as a secure-by-default security concern. Re-enabling the setting is perfectly safe so long as CommandBox is downstream of a proxy you trust which always sets this header. If CommandBox is not downstream of a proxy you trust, then you can still enable the setting, but you cannot trust any IP-based security checks in the lockdown rules or in your CFML code as the IP may be spoofed.
Activity
Show:
Fixed
Pinned fields
Click on the next to a field label to start pinning.
CommandBox has always activated the Undertow feature out-of-the-box to look for a proxy peer address header and use it if it exists to set the source IP. However, this presents a security concern if the CommandBox server is NOT behind a proxy which always sets this header as it allows a bad actor to set their own header claiming the request is from localhost or some other trusted IP.
So, for security purposes, let's leave this off by default and update the docs to instruct ONLY people running CommandBox behind a proxy which always sets this header to re-enable the setting. This will made the default lockdown rules blocking external access to the CF admins more trustworthy.
This will be a breaking behavior for people behind a proxy. I’m only changing it in a minor release since it’s been pointed out as a secure-by-default security concern. Re-enabling the setting is perfectly safe so long as CommandBox is downstream of a proxy you trust which always sets this header. If CommandBox is not downstream of a proxy you trust, then you can still enable the setting, but you cannot trust any IP-based security checks in the lockdown rules or in your CFML code as the IP may be spoofed.