caddyhttp: Add server-level `trusted_proxies` config (#5103)

author: Francis Lavoie <lavofr@gmail.com> 2023-01-10 00:08:23 -0500
committer: GitHub <noreply@github.com> 2023-01-10 00:08:23 -0500
commit: 223cbe3d0b50487117c785f0755bb80a9ee65010 (patch)
tree: cf673da335e7470a50a7f1709464ec3f05e67291 /modules/caddyhttp/app.go
parent: 66ce0c5c635c4ff254ccb92123711534b6461b35 (diff)
1 files changed, 20 insertions, 0 deletions
diff --git a/modules/caddyhttp/app.go b/modules/caddyhttp/app.go
index 0943b32..d790284 100644
--- a/modules/caddyhttp/app.go
+++ b/modules/caddyhttp/app.go
@@ -20,7 +20,9 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"net/netip"
 	"strconv"
+	"strings"
 	"sync"
 	"time"
 
@@ -222,6 +224,24 @@ func (app *App) Provision(ctx caddy.Context) error {
 			srv.StrictSNIHost = &trueBool
 		}
 
+		// parse trusted proxy CIDRs ahead of time
+		for _, str := range srv.TrustedProxies {
+			if strings.Contains(str, "/") {
+				ipNet, err := netip.ParsePrefix(str)
+				if err != nil {
+					return fmt.Errorf("parsing CIDR expression: '%s': %v", str, err)
+				}
+				srv.trustedProxies = append(srv.trustedProxies, ipNet)
+			} else {
+				ipAddr, err := netip.ParseAddr(str)
+				if err != nil {
+					return fmt.Errorf("invalid IP address: '%s': %v", str, err)
+				}
+				ipNew := netip.PrefixFrom(ipAddr, ipAddr.BitLen())
+				srv.trustedProxies = append(srv.trustedProxies, ipNew)
+			}
+		}
+
 		// process each listener address
 		for i := range srv.Listen {
 			lnOut, err := repl.ReplaceOrErr(srv.Listen[i], true, true)
author	Francis Lavoie <lavofr@gmail.com>	2023-01-10 00:08:23 -0500
committer	GitHub <noreply@github.com>	2023-01-10 00:08:23 -0500
commit	223cbe3d0b50487117c785f0755bb80a9ee65010 (patch)
tree	cf673da335e7470a50a7f1709464ec3f05e67291 /modules/caddyhttp/app.go
parent	66ce0c5c635c4ff254ccb92123711534b6461b35 (diff)