FR: Only accept PROXY protocol from certain IPs #4505
Description
Is your feature request related to a problem? Please describe.
I'm looking to front ejabberd with some routers that send the PROXY protocol packets. As a further point of restriction/containment I'd like ejabberd to only receive it from specific IP addresses.
Currently this is not possible as PROXY protocol tagged packets can be accepted from anywhere. As access rules are handled after IPs in the proxy protocol are parsed, this may have security implications if ejabberd isn't exposed properly.
Describe the solution you'd like
Something like this in the listen modules:
listen:
-
port: 5223
module: ejabberd_c2s
access: c2s
use_proxy_protocol: true
proxy_protocol_acl:
- 192.168.1.6/32
- 192.168.2.0/24And enforce it as a requirement when use_proxy_protocol: true, so operators have to go out of their way to enable access from anyone via defining [ 0.0.0.0/0, ::/0 ]. Perhaps this could be a gradual migration, but I hope there'll be a point where explicit IP declaration is necessary.
Since all the other ACLType doesn't apply at this level I guess a list of CIDR would do.
Describe alternatives you've considered
Having a middleware or firewall rules between the router and ejabberd, which may be clunkier to set up esp with Docker environments
Additional context
Previous discussed in the MUC.
Section 2 of the spec says that "The receiver SHOULD ensure proper access filtering so that only trusted proxies are allowed to use this protocol."