Skip to content

Trust only configured proxies for forward proxy authentication#36

Open
3em0 wants to merge 1 commit into
will-moss:masterfrom
3em0:fix/forward-proxy-auth-trusted-proxies
Open

Trust only configured proxies for forward proxy authentication#36
3em0 wants to merge 1 commit into
will-moss:masterfrom
3em0:fix/forward-proxy-auth-trusted-proxies

Conversation

@3em0

@3em0 3em0 commented Jun 10, 2026

Copy link
Copy Markdown

Summary

Fixes #33.

This adds an explicit trust boundary for Forward Proxy Authentication headers. Isaiah now accepts the configured proxy authentication header only when the websocket request comes from an IP address listed in FORWARD_PROXY_AUTHENTICATION_TRUSTED_PROXIES.

Changes

  • Add FORWARD_PROXY_AUTHENTICATION_TRUSTED_PROXIES as a comma-separated IP/CIDR allowlist.
  • Ignore client-supplied forward proxy authentication headers from untrusted remote addresses.
  • Document the new required setting for Forward Proxy Authentication deployments.
  • Add unit coverage for exact IP, CIDR, empty configuration, and IPv6 trusted proxy matching.

Testing

  • git diff --check
  • Not run: gofmt / go test ./... because this environment does not have the Go toolchain installed (go and gofmt are unavailable).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Forward proxy authentication trusts client-supplied header when backend is reachable

1 participant