From 05e9974570a08df14b1162a1e98315d4ee9ec2ee Mon Sep 17 00:00:00 2001
From: Francis Lavoie <lavofr@gmail.com>
Date: Mon, 27 Mar 2023 16:22:59 -0400
Subject: caddyhttp: Determine real client IP if trusted proxies configured
 (#5104)

* caddyhttp: Determine real client IP if trusted proxies configured

* Support customizing client IP header

* Implement client_ip matcher, deprecate remote_ip's forwarded option
---
 .../global_server_options_single.txt               |  7 ++++++
 .../integration/caddyfile_adapt/matcher_syntax.txt | 25 ++++++++++++++++++++++
 2 files changed, 32 insertions(+)

(limited to 'caddytest')

diff --git a/caddytest/integration/caddyfile_adapt/global_server_options_single.txt b/caddytest/integration/caddyfile_adapt/global_server_options_single.txt
index d963604..300b4ac 100644
--- a/caddytest/integration/caddyfile_adapt/global_server_options_single.txt
+++ b/caddytest/integration/caddyfile_adapt/global_server_options_single.txt
@@ -15,6 +15,8 @@
 		protocols h1 h2 h2c h3
 		strict_sni_host
 		trusted_proxies static private_ranges
+		client_ip_headers Custom-Real-Client-IP X-Forwarded-For
+		client_ip_headers A-Third-One
 	}
 }
 
@@ -67,6 +69,11 @@ foo.com {
 						],
 						"source": "static"
 					},
+					"client_ip_headers": [
+						"Custom-Real-Client-IP",
+						"X-Forwarded-For",
+						"A-Third-One"
+					],
 					"logs": {
 						"should_log_credentials": true
 					},
diff --git a/caddytest/integration/caddyfile_adapt/matcher_syntax.txt b/caddytest/integration/caddyfile_adapt/matcher_syntax.txt
index fb3dfb6..ffab2c7 100644
--- a/caddytest/integration/caddyfile_adapt/matcher_syntax.txt
+++ b/caddytest/integration/caddyfile_adapt/matcher_syntax.txt
@@ -43,6 +43,9 @@
 
 	@matcher11 remote_ip private_ranges
 	respond @matcher11 "remote_ip matcher with private ranges"
+
+	@matcher12 client_ip private_ranges
+	respond @matcher12 "client_ip matcher with private ranges"
 }
 ----------
 {
@@ -250,6 +253,28 @@
 									"handler": "static_response"
 								}
 							]
+						},
+						{
+							"match": [
+								{
+									"client_ip": {
+										"ranges": [
+											"192.168.0.0/16",
+											"172.16.0.0/12",
+											"10.0.0.0/8",
+											"127.0.0.1/8",
+											"fd00::/8",
+											"::1"
+										]
+									}
+								}
+							],
+							"handle": [
+								{
+									"body": "client_ip matcher with private ranges",
+									"handler": "static_response"
+								}
+							]
 						}
 					]
 				}
-- 
cgit v1.2.3