Hello - we had a security scan run that reported an issue where private IP addresses are exposed. This happens when using the HTTP to HTTPS redirectscheme middleware. Our platform is AWS ELB to with an AWS ACM certificate to a K8S service to Traefik to the end point.
The private IP that is exposed is that of the load balancer.
I had opened a GitHub issue, but it seems to be specific to having a LB or perhaps specifically an AWS LB. Details on the existing research is available at Customize Response for HTTP Redirects · Issue #8800 · traefik/traefik · GitHub
TLDR; if you have redirects turned on and are using an AWS ELB and run the following curl command, the resulting redirect will include the private IP address:
❯ curl --http1.0 -vvk -H 'Host: ' http://myservice.uat.mydomain.com/sssssssssssssss
* Trying 3.2.2.81:80...
* Connected to myservice.uat.mydomain.com (3.2.2.81) port 80 (#0)
> GET /sssssssssssssss HTTP/1.0
> Host:
> User-Agent: curl/7.77.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Content-Type: text/plain; charset=utf-8
< Date: Tue, 01 Mar 2022 17:04:38 GMT
< Location: https://10.1.2.50/sssssssssssssss
< Content-Length: 17
< Connection: Close
<
* Closing connection 0
Moved Permanently%
Has anyone run into this before and created a solution? It is definitely not normal usage, but is just the stuff hackers look for unfortunately.