fix: whitelist and XFF.

This commit is contained in:
Ludovic Fernandez 2018-05-30 09:26:03 +02:00 committed by Traefiker Bot
parent 8bca8236db
commit 6bcf45f136
3 changed files with 20 additions and 9 deletions

View file

@ -44,7 +44,7 @@ func (h *headerRewriter) Rewrite(req *http.Request) {
err := h.ips.IsAuthorized(req)
if err != nil {
log.Error(err)
log.Debug(err)
h.secureRewriter.Rewrite(req)
return
}

View file

@ -61,7 +61,9 @@ func (ip *IP) IsAuthorized(req *http.Request) error {
xFFs := req.Header[XForwardedFor]
if len(xFFs) > 0 {
for _, xFF := range xFFs {
ok, err := ip.contains(parseHost(xFF))
xffs := strings.Split(xFF, ",")
for _, xff := range xffs {
ok, err := ip.contains(parseHost(xff))
if err != nil {
return err
}
@ -70,7 +72,8 @@ func (ip *IP) IsAuthorized(req *http.Request) error {
return nil
}
invalidMatches = append(invalidMatches, xFF)
invalidMatches = append(invalidMatches, xff)
}
}
}
}

View file

@ -27,6 +27,14 @@ func TestIsAuthorized(t *testing.T) {
xForwardedForValues: []string{"1.2.3.1", "10.2.3.1"},
authorized: true,
},
{
desc: "allow UseXForwardedFor, remoteAddr not in range, UseXForwardedFor in range (compact XFF)",
whiteList: []string{"1.2.3.4/24"},
allowXForwardedFor: true,
remoteAddr: "10.2.3.1:123",
xForwardedForValues: []string{"1.2.3.1, 10.2.3.1"},
authorized: true,
},
{
desc: "allow UseXForwardedFor, remoteAddr in range, UseXForwardedFor in range",
whiteList: []string{"1.2.3.4/24"},