Limit access to Moat's /meek endpoint to a trusted CDN

The Moat setup has both a /meek and a /moat endpoint. External requests are supposed to arrive at /meek, which adds an X-Forwarded-For header via moat-shim (#69 (closed)), and is then forwarded to /moat. /moat can trust the X-Forwarded-For header because it was last updated by moat-shim from /meek.

But anonymous11 points out that because /meek is exposed externally, an adversary can simulate control over many IP addresses by writing its own X-Forwarded-For header and thereby get access to more of the pool.

https://ntc.party/t/moat/1604/4

Но Moat (в отличии от HTTPS) делает сбор совсем простым. Можно подключаться напрямую к Meek серверу (/meek), Moat дистрибьютеру (/moat) с ложными заголовками Meek-IP (изображая CDN), X-Forwarded-For (изображая moat-shim).

But Moat (as opposed to HTTPS) makes gathering quite simple. You can connect directly to a Meek server (/meek), a Moat distributor (/moat) with false headers Meek-IP (impersonating CDN), X-Forwarded-For (impersonating moat-shim).

So

1. We can block direct access to /moat (allowing only localhost access from moat-shim), prohibiting X-Forwarded-For spoofing from outside.
2. We can try to ensure that access to /meek comes only from a CDN we trust to add X-Forwarded-For correctly.