fix: whitelist and XFF.

2018-05-30 09:26:03 +02:00 · 2018-05-30 09:26:03 +02:00 · 6bcf45f136
parent 8bca8236db
commit 6bcf45f136
3 changed files with 20 additions and 9 deletions
--- a/server/header_rewriter.go
+++ b/server/header_rewriter.go
@ -44,7 +44,7 @@ func (h *headerRewriter) Rewrite(req *http.Request) {
 	err := h.ips.IsAuthorized(req)
 	if err != nil {
-		log.Error(err)
+		log.Debug(err)
 		h.secureRewriter.Rewrite(req)
 		return
 	}
--- a/whitelist/ip.go
+++ b/whitelist/ip.go
@ -61,16 +61,19 @@ func (ip *IP) IsAuthorized(req *http.Request) error {
 		xFFs := req.Header[XForwardedFor]
 		if len(xFFs) > 0 {
 			for _, xFF := range xFFs {
-				ok, err := ip.contains(parseHost(xFF))
+				xffs := strings.Split(xFF, ",")
-				if err != nil {
+				for _, xff := range xffs {
-					return err
+					ok, err := ip.contains(parseHost(xff))
-				}
+					if err != nil {
 						return err
 					}
-				if ok {
+					if ok {
-					return nil
+						return nil
-				}
+					}
-				invalidMatches = append(invalidMatches, xFF)
+					invalidMatches = append(invalidMatches, xff)
 				}
 			}
 		}
 	}
--- a/whitelist/ip_test.go
+++ b/whitelist/ip_test.go
@ -27,6 +27,14 @@ func TestIsAuthorized(t *testing.T) {
 			xForwardedForValues: []string{"1.2.3.1", "10.2.3.1"},
 			authorized:          true,
 		},
 		{
 			desc:                "allow UseXForwardedFor, remoteAddr not in range, UseXForwardedFor in range (compact XFF)",
 			whiteList:           []string{"1.2.3.4/24"},
 			allowXForwardedFor:  true,
 			remoteAddr:          "10.2.3.1:123",
 			xForwardedForValues: []string{"1.2.3.1, 10.2.3.1"},
 			authorized:          true,
 		},
 		{
 			desc:                "allow UseXForwardedFor, remoteAddr in range, UseXForwardedFor in range",
 			whiteList:           []string{"1.2.3.4/24"},