fix: whitelist and XFF.
This commit is contained in:
parent
8bca8236db
commit
6bcf45f136
3 changed files with 20 additions and 9 deletions
|
@ -44,7 +44,7 @@ func (h *headerRewriter) Rewrite(req *http.Request) {
|
||||||
|
|
||||||
err := h.ips.IsAuthorized(req)
|
err := h.ips.IsAuthorized(req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error(err)
|
log.Debug(err)
|
||||||
h.secureRewriter.Rewrite(req)
|
h.secureRewriter.Rewrite(req)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
|
@ -61,7 +61,9 @@ func (ip *IP) IsAuthorized(req *http.Request) error {
|
||||||
xFFs := req.Header[XForwardedFor]
|
xFFs := req.Header[XForwardedFor]
|
||||||
if len(xFFs) > 0 {
|
if len(xFFs) > 0 {
|
||||||
for _, xFF := range xFFs {
|
for _, xFF := range xFFs {
|
||||||
ok, err := ip.contains(parseHost(xFF))
|
xffs := strings.Split(xFF, ",")
|
||||||
|
for _, xff := range xffs {
|
||||||
|
ok, err := ip.contains(parseHost(xff))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -70,7 +72,8 @@ func (ip *IP) IsAuthorized(req *http.Request) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
invalidMatches = append(invalidMatches, xFF)
|
invalidMatches = append(invalidMatches, xff)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -27,6 +27,14 @@ func TestIsAuthorized(t *testing.T) {
|
||||||
xForwardedForValues: []string{"1.2.3.1", "10.2.3.1"},
|
xForwardedForValues: []string{"1.2.3.1", "10.2.3.1"},
|
||||||
authorized: true,
|
authorized: true,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
desc: "allow UseXForwardedFor, remoteAddr not in range, UseXForwardedFor in range (compact XFF)",
|
||||||
|
whiteList: []string{"1.2.3.4/24"},
|
||||||
|
allowXForwardedFor: true,
|
||||||
|
remoteAddr: "10.2.3.1:123",
|
||||||
|
xForwardedForValues: []string{"1.2.3.1, 10.2.3.1"},
|
||||||
|
authorized: true,
|
||||||
|
},
|
||||||
{
|
{
|
||||||
desc: "allow UseXForwardedFor, remoteAddr in range, UseXForwardedFor in range",
|
desc: "allow UseXForwardedFor, remoteAddr in range, UseXForwardedFor in range",
|
||||||
whiteList: []string{"1.2.3.4/24"},
|
whiteList: []string{"1.2.3.4/24"},
|
||||||
|
|
Loading…
Reference in a new issue