Semisol 👨‍💻

npub1226…grkj

2024-04-10 01:12:11

How to mitigate the strfry crash exploit

Why this is happening

This happens due to an invalid real IP header.

You are most likely using X-Forwarded-For as the real IP header. Strfry expects the real IP header to contain just an IP, but the X-Forwarded-For header is a list of IPs, with every proxy adding the IP of where it got the request from.

If a client specifies an X-Forwarded-For header, like X-Forwarded-For: 1.1.1.1, your proxy will add the remote IP, like this: X-Forwarded-For: 1.1.1.1, 127.0.0.1 When you use $proxy_add_x_forwarded_for in Nginx, this is what it is doing: appending the remote IP to the header.

Strfry tries parsing 1.1.1.1, 127.0.0.1 as an IP address, fails, and throws an exception.

How to fix it

If you are using Caddy, just switch to X-Real-IP.

If you are using Nginx, you can add a real IP header like so, and switch to using it: proxy_set_header X-Real-IP $remote_addr;

You can also disable the real IP header, but this will cause problems if you use a write filter script or look at the logs.

Author Public Key

npub12262qa4uhw7u8gdwlgmntqtv7aye8vdcmvszkqwgs0zchel6mz7s6cgrkj

Show more details

Published at

2024-04-10 01:12:11

Kind type

30023 Long-form Content

Event JSON

{ "id": "3160aa8a4d97a28aff1bfdff576a20e9d87c1eb884a55b5fb150ba2ed66919fa", "pubkey": "52b4a076bcbbbdc3a1aefa3735816cf74993b1b8db202b01c883c58be7fad8bd", "created_at": 1712711531, "kind": 30023, "tags": [ [ "d", "strfry-crash-fix" ], [ "title", "How to mitigate the strfry crash exploit" ], [ "summary", "Is your strfry relay crashing with the error \"invalid size of ipBytes\"? This is how you can fix it." ], [ "t", "strfry" ], [ "published_at", "1712711530" ], [ "alt", "This is a long form article, you can read it in https://habla.news/a/naddr1qvzqqqr4gupzq5455pmtewaacws6a73hxkqkea6fjwcm3keq9vqu3q7930nl4k9aqqg8xarjvee8jttrwfshx6pdve5hs5m6jh2" ] ], "content": "## Why this is happening\n\nThis happens due to an invalid real IP header.\n\nYou are most likely using `X-Forwarded-For` as the real IP header. Strfry expects the real IP header to contain just an IP, but [the `X-Forwarded-For` header is *a list of IPs*](https://en.wikipedia.org/wiki/X-Forwarded-For), with every proxy adding the IP of where it got the request from. \n\nIf a client specifies an X-Forwarded-For header, like `X-Forwarded-For: 1.1.1.1`, your proxy will add the remote IP, like this: `X-Forwarded-For: 1.1.1.1, 127.0.0.1`\nWhen you use `$proxy_add_x_forwarded_for` in Nginx, this is what it is doing: *appending* the remote IP to the header.\n\nStrfry tries parsing `1.1.1.1, 127.0.0.1` as an IP address, fails, and throws an exception.\n\n## How to fix it\n\nIf you are using Caddy, just switch to `X-Real-IP`.\n\nIf you are using Nginx, you can add a real IP header like so, and switch to using it:\n`proxy_set_header X-Real-IP $remote_addr;`\n\nYou can also disable the real IP header, but this will cause problems if you use a write filter script or look at the logs.", "sig": "4c5aac1d8d73689fd10eb6912e9a65cc5b6b0811b152410963f0571c48c4170bfdd3228d243638832b799275fd305a8ec3f1a3326ddfbca2fc4ed14cf655b977" }