diff options
author | Francis Lavoie <lavofr@gmail.com> | 2023-02-06 14:44:11 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-02-06 12:44:11 -0700 |
commit | 12bcbe2c4924ecbf6730fc340a7a4250bddcc9be (patch) | |
tree | ae19f9b5969a5bfec041b1cd3c784135ce073aa8 /modules/caddyhttp/server.go | |
parent | f6f1d8fc8931ae9ed9ed9b948b559a6149232fbc (diff) |
caddyhttp: Pluggable trusted proxy IP range sources (#5328)
* caddyhttp: Pluggable trusted proxy IP range sources
* Add request to the IPRangeSource interface
Diffstat (limited to 'modules/caddyhttp/server.go')
-rw-r--r-- | modules/caddyhttp/server.go | 25 |
1 files changed, 7 insertions, 18 deletions
diff --git a/modules/caddyhttp/server.go b/modules/caddyhttp/server.go index 420cc4a..13ebbe6 100644 --- a/modules/caddyhttp/server.go +++ b/modules/caddyhttp/server.go @@ -118,7 +118,7 @@ type Server struct { // client authentication. StrictSNIHost *bool `json:"strict_sni_host,omitempty"` - // A list of IP ranges (supports CIDR notation) from which + // A module which provides a source of IP ranges, from which // requests should be trusted. By default, no proxies are // trusted. // @@ -128,7 +128,7 @@ type Server struct { // of needing to configure each of them. See the // `reverse_proxy` handler for example, which uses this // to trust sensitive incoming `X-Forwarded-*` headers. - TrustedProxies []string `json:"trusted_proxies,omitempty"` + TrustedProxiesRaw json.RawMessage `json:"trusted_proxies,omitempty" caddy:"namespace=http.ip_sources inline_key=source"` // Enables access logging and configures how access logs are handled // in this server. To minimally enable access logs, simply set this @@ -188,8 +188,7 @@ type Server struct { h3listeners []net.PacketConn // TODO: we have to hold these because quic-go won't close listeners it didn't create addresses []caddy.NetworkAddress - // Holds the parsed CIDR ranges from TrustedProxies - trustedProxies []netip.Prefix + trustedProxies IPRangeSource shutdownAt time.Time shutdownAtMu *sync.RWMutex @@ -751,7 +750,10 @@ func determineTrustedProxy(r *http.Request, s *Server) bool { } // Check if the client is a trusted proxy - for _, ipRange := range s.trustedProxies { + if s.trustedProxies == nil { + return false + } + for _, ipRange := range s.trustedProxies.GetIPRanges(r) { if ipRange.Contains(ipAddr) { return true } @@ -771,19 +773,6 @@ func cloneURL(from, to *url.URL) { } } -// PrivateRangesCIDR returns a list of private CIDR range -// strings, which can be used as a configuration shortcut. -func PrivateRangesCIDR() []string { - return []string{ - "192.168.0.0/16", - "172.16.0.0/12", - "10.0.0.0/8", - "127.0.0.1/8", - "fd00::/8", - "::1", - } -} - // Context keys for HTTP request context values. const ( // For referencing the server instance |