From 223cbe3d0b50487117c785f0755bb80a9ee65010 Mon Sep 17 00:00:00 2001
From: Francis Lavoie <lavofr@gmail.com>
Date: Tue, 10 Jan 2023 00:08:23 -0500
Subject: caddyhttp: Add server-level `trusted_proxies` config (#5103)

---
 modules/caddyhttp/app.go | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

(limited to 'modules/caddyhttp/app.go')

diff --git a/modules/caddyhttp/app.go b/modules/caddyhttp/app.go
index 0943b32..d790284 100644
--- a/modules/caddyhttp/app.go
+++ b/modules/caddyhttp/app.go
@@ -20,7 +20,9 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"net/netip"
 	"strconv"
+	"strings"
 	"sync"
 	"time"
 
@@ -222,6 +224,24 @@ func (app *App) Provision(ctx caddy.Context) error {
 			srv.StrictSNIHost = &trueBool
 		}
 
+		// parse trusted proxy CIDRs ahead of time
+		for _, str := range srv.TrustedProxies {
+			if strings.Contains(str, "/") {
+				ipNet, err := netip.ParsePrefix(str)
+				if err != nil {
+					return fmt.Errorf("parsing CIDR expression: '%s': %v", str, err)
+				}
+				srv.trustedProxies = append(srv.trustedProxies, ipNet)
+			} else {
+				ipAddr, err := netip.ParseAddr(str)
+				if err != nil {
+					return fmt.Errorf("invalid IP address: '%s': %v", str, err)
+				}
+				ipNew := netip.PrefixFrom(ipAddr, ipAddr.BitLen())
+				srv.trustedProxies = append(srv.trustedProxies, ipNew)
+			}
+		}
+
 		// process each listener address
 		for i := range srv.Listen {
 			lnOut, err := repl.ReplaceOrErr(srv.Listen[i], true, true)
-- 
cgit v1.2.3