fix: whitelist and XFF.

This commit is contained in:
Ludovic Fernandez 2018-05-30 09:26:03 +02:00 committed by Traefiker Bot
parent 8bca8236db
commit 6bcf45f136
3 changed files with 20 additions and 9 deletions

View file

@ -44,7 +44,7 @@ func (h *headerRewriter) Rewrite(req *http.Request) {
err := h.ips.IsAuthorized(req) err := h.ips.IsAuthorized(req)
if err != nil { if err != nil {
log.Error(err) log.Debug(err)
h.secureRewriter.Rewrite(req) h.secureRewriter.Rewrite(req)
return return
} }

View file

@ -61,7 +61,9 @@ func (ip *IP) IsAuthorized(req *http.Request) error {
xFFs := req.Header[XForwardedFor] xFFs := req.Header[XForwardedFor]
if len(xFFs) > 0 { if len(xFFs) > 0 {
for _, xFF := range xFFs { for _, xFF := range xFFs {
ok, err := ip.contains(parseHost(xFF)) xffs := strings.Split(xFF, ",")
for _, xff := range xffs {
ok, err := ip.contains(parseHost(xff))
if err != nil { if err != nil {
return err return err
} }
@ -70,7 +72,8 @@ func (ip *IP) IsAuthorized(req *http.Request) error {
return nil return nil
} }
invalidMatches = append(invalidMatches, xFF) invalidMatches = append(invalidMatches, xff)
}
} }
} }
} }

View file

@ -27,6 +27,14 @@ func TestIsAuthorized(t *testing.T) {
xForwardedForValues: []string{"1.2.3.1", "10.2.3.1"}, xForwardedForValues: []string{"1.2.3.1", "10.2.3.1"},
authorized: true, authorized: true,
}, },
{
desc: "allow UseXForwardedFor, remoteAddr not in range, UseXForwardedFor in range (compact XFF)",
whiteList: []string{"1.2.3.4/24"},
allowXForwardedFor: true,
remoteAddr: "10.2.3.1:123",
xForwardedForValues: []string{"1.2.3.1, 10.2.3.1"},
authorized: true,
},
{ {
desc: "allow UseXForwardedFor, remoteAddr in range, UseXForwardedFor in range", desc: "allow UseXForwardedFor, remoteAddr in range, UseXForwardedFor in range",
whiteList: []string{"1.2.3.4/24"}, whiteList: []string{"1.2.3.4/24"},