Limit access to Moat's /meek endpoint to a trusted CDN
The Moat setup has both a /meek and a /moat endpoint. External requests are supposed to arrive at /meek, which adds an X-Forwarded-For header via moat-shim (#69 (closed)), and is then forwarded to /moat. /moat can trust the X-Forwarded-For header because it was last updated by moat-shim from /meek.
But anonymous11 points out that because /meek is exposed externally, an adversary can simulate control over many IP addresses by writing its own X-Forwarded-For header and thereby get access to more of the pool.
https://ntc.party/t/moat/1604/4
Но Moat (в отличии от HTTPS) делает сбор совсем простым. Можно подключаться напрямую к Meek серверу (/meek), Moat дистрибьютеру (/moat) с ложными заголовками Meek-IP (изображая CDN), X-Forwarded-For (изображая moat-shim).
But Moat (as opposed to HTTPS) makes gathering quite simple. You can connect directly to a Meek server (/meek), a Moat distributor (/moat) with false headers Meek-IP (impersonating CDN), X-Forwarded-For (impersonating moat-shim).
So
- We can block direct access to /moat (allowing only localhost access from moat-shim), prohibiting X-Forwarded-For spoofing from outside.
- We can try to ensure that access to /meek comes only from a CDN we trust to add X-Forwarded-For correctly.