- Timestamp:
- Jul 22, 2020, 3:03:01 PM (5 years ago)
- Location:
- trunk
- Files:
-
- 3 edited
-
config/config.go (modified) (4 diffs)
-
doc/soju.1.scd (modified) (1 diff)
-
server.go (modified) (3 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/config/config.go
r323 r370 5 5 "fmt" 6 6 "io" 7 "net" 7 8 "os" 8 9 9 10 "github.com/google/shlex" 10 11 ) 12 13 type IPSet []*net.IPNet 14 15 func (set IPSet) Contains(ip net.IP) bool { 16 for _, n := range set { 17 if n.Contains(ip) { 18 return true 19 } 20 } 21 return false 22 } 23 24 // loopbackIPs contains the loopback networks 127.0.0.0/8 and ::1/128. 25 var loopbackIPs = IPSet{ 26 &net.IPNet{ 27 IP: net.IP{127, 0, 0, 0}, 28 Mask: net.CIDRMask(8, 32), 29 }, 30 &net.IPNet{ 31 IP: net.IPv6loopback, 32 Mask: net.CIDRMask(128, 128), 33 }, 34 } 11 35 12 36 type TLS struct { … … 15 39 16 40 type Server struct { 17 Listen []string 18 Hostname string 19 TLS *TLS 20 SQLDriver string 21 SQLSource string 22 LogPath string 23 HTTPOrigins []string 41 Listen []string 42 Hostname string 43 TLS *TLS 44 SQLDriver string 45 SQLSource string 46 LogPath string 47 HTTPOrigins []string 48 AcceptProxyIPs IPSet 24 49 } 25 50 … … 30 55 } 31 56 return &Server{ 32 Hostname: hostname, 33 SQLDriver: "sqlite3", 34 SQLSource: "soju.db", 57 Hostname: hostname, 58 SQLDriver: "sqlite3", 59 SQLSource: "soju.db", 60 AcceptProxyIPs: loopbackIPs, 35 61 } 36 62 } … … 94 120 case "http-origin": 95 121 srv.HTTPOrigins = append(srv.HTTPOrigins, d.Params...) 122 case "accept-proxy-ip": 123 srv.AcceptProxyIPs = nil 124 for _, s := range d.Params { 125 _, n, err := net.ParseCIDR(s) 126 if err != nil { 127 return nil, fmt.Errorf("directive %q: failed to parse CIDR: %v", d.Name, err) 128 } 129 srv.AcceptProxyIPs = append(srv.AcceptProxyIPs, n) 130 } 96 131 default: 97 132 return nil, fmt.Errorf("unknown directive %q", d.Name) -
trunk/doc/soju.1.scd
r369 r370 110 110 interpreted as shell patterns, see *glob*(7). 111 111 112 *accept-proxy-ip* <cidr...> 113 Allow the specified IPs to act as a proxy. Proxys have the ability to 114 overwrite the remote and local connection addresses (via the X-Forwarded-* 115 HTTP header fields). By default, the loopback addresses 127.0.0.0/8 and 116 ::1/128 are accepted. 117 112 118 # IRC SERVICE 113 119 -
trunk/server.go
r348 r370 12 12 "gopkg.in/irc.v3" 13 13 "nhooyr.io/websocket" 14 15 "git.sr.ht/~emersion/soju/config" 14 16 ) 15 17 … … 42 44 43 45 type Server struct { 44 Hostname string 45 Logger Logger 46 RingCap int 47 HistoryLimit int 48 LogPath string 49 Debug bool 50 HTTPOrigins []string 46 Hostname string 47 Logger Logger 48 RingCap int 49 HistoryLimit int 50 LogPath string 51 Debug bool 52 HTTPOrigins []string 53 AcceptProxyIPs config.IPSet 51 54 52 55 db *DB … … 154 157 } 155 158 156 is Loopback:= false159 isProxy := false 157 160 if host, _, err := net.SplitHostPort(req.RemoteAddr); err == nil { 158 161 if ip := net.ParseIP(host); ip != nil { 159 is Loopback = ip.IsLoopback()162 isProxy = s.AcceptProxyIPs.Contains(ip) 160 163 } 161 164 } 162 165 163 // Only trust X-Forwarded-* header fields if this is a loopback connection,166 // Only trust X-Forwarded-* header fields if this is a trusted proxy IP 164 167 // to prevent users from spoofing the remote address 165 168 remoteAddr := req.RemoteAddr 166 169 forwardedHost := req.Header.Get("X-Forwarded-For") 167 170 forwardedPort := req.Header.Get("X-Forwarded-Port") 168 if is Loopback&& forwardedHost != "" && forwardedPort != "" {171 if isProxy && forwardedHost != "" && forwardedPort != "" { 169 172 remoteAddr = net.JoinHostPort(forwardedHost, forwardedPort) 170 173 }
Note:
See TracChangeset
for help on using the changeset viewer.
