Skip to main content

validate_upstream

synapse_pingora::validation

Function validate_upstream 

Source 
pub fn validate_upstream(upstream: &str) -> ValidationResult<()>
Expand description

Validates an upstream address (host:port) with SSRF protection.

§Security

This function validates upstream addresses and blocks SSRF attempts by:

  • Rejecting private/internal IP addresses
  • Rejecting cloud metadata endpoints (169.254.169.254)
  • Rejecting localhost and loopback addresses

For hostnames, DNS resolution is NOT performed at validation time to avoid DNS rebinding attacks. The upstream proxy should enforce IP restrictions at connection time as well.