Description
Suppose an IP-based access control solution is implemented in your web server (back-end server). In that case, the Haproxy used by BitNinja’s SslTerminating module can be exploited to push an arbitrary IP address to the backend webserver behind our WAF module, thus bypassing the aforementioned IP-based policy.
Does NOT affect BitNinja’s IPFilter
The issue does not affect BitNinja’s protection in any way, and it is also not a BitNinja-specific vulnerability. As it is not a BitNinja-specific vulnerability, and the same issue can be reproduced in other environments, there is no way to block this X-Forwarded-For header forgery.
The issue does not affect BitNinja’s protection in any way, and it is also not a BitNinja-specific vulnerability. As it is not a BitNinja-specific vulnerability, and the same issue can be reproduced in other environments, there is no way to block this X-Forwarded-For header forgery.
Solution
We suggest adding the proxies you see as secure to our Trusted proxy list.
To do this, you will need to enable the TrustedProxy module.
You can enable the module and add the IP addresses from the Firewall → Trusted Proxies menu.
Also, if you have your blocklist, we suggest adding the IP addresses to BitNinja’s blockist.
And this should resolve the issue you are having.