Description
Incoming HTTP requests may contain X-Forwarded-For header, sent by a client to bypass the client application IP restrictions or rate limiters and fake the client IP address. Currently, nginx-proxy trusts this header and passes it to the downstream.
This is a pretty serious flaw that requires a CVE registration, as it happened in other OpenSource projects: CVE-2020-28483 for go/gin, CVE-2020-35590 for WordPress, CVE-2020-13485 for CraftCMS.
The application developers usually specify trusted proxy server IP addresses explicitly and frameworks and proxies provide properties for this kind of configuration. For example, Symfony – PHP framework, Express – JS framework, Gin – Go framework, Traefik Proxy
I suggest introducing a TRUST_FORWARDED_HEADERS, which takes a comma-separated list of IP networks, that are trusted. X-Forwarded headers from these networks should be passed to the downstream only if the request address is trusted.