Changeset 370 in code for trunk/server.go

Timestamp:

Jul 22, 2020, 3:03:01 PM (5 years ago)

Author:

contact

Message:

Add accept-proxy-ip config directive

This allows to set the list of IPs allowed to act as a proxy. This is
only used for WebSockets right now, but will be expanded to TCP as well
once the PROXY protocol is supported.

File:

• trunk/server.go (modified) (3 diffs)

trunk/server.go

@@ -12 +12 @@
         "gopkg.in/irc.v3"
         "nhooyr.io/websocket"
+
+        "git.sr.ht/~emersion/soju/config"
 )
 
@@ -42 +44 @@
 
 type Server struct {
-        Hostname     string
-        Logger       Logger
-        RingCap      int
-        HistoryLimit int
-        LogPath      string
-        Debug        bool
-        HTTPOrigins  []string
+        Hostname       string
+        Logger         Logger
+        RingCap        int
+        HistoryLimit   int
+        LogPath        string
+        Debug          bool
+        HTTPOrigins    []string
+        AcceptProxyIPs config.IPSet
 
         db *DB
@@ -154 +157 @@
         }
 
-        isLoopback := false
+        isProxy := false
         if host, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
                 if ip := net.ParseIP(host); ip != nil {
-                        isLoopback = ip.IsLoopback()
+                        isProxy = s.AcceptProxyIPs.Contains(ip)
                 }
         }
 
-        // Only trust X-Forwarded-* header fields if this is a loopback connection,
+        // Only trust X-Forwarded-* header fields if this is a trusted proxy IP
         // to prevent users from spoofing the remote address
         remoteAddr := req.RemoteAddr
         forwardedHost := req.Header.Get("X-Forwarded-For")
         forwardedPort := req.Header.Get("X-Forwarded-Port")
-        if isLoopback && forwardedHost != "" && forwardedPort != "" {
+        if isProxy && forwardedHost != "" && forwardedPort != "" {
                 remoteAddr = net.JoinHostPort(forwardedHost, forwardedPort)
         }