fix: whitelist and XFF.
This commit is contained in:
parent
8bca8236db
commit
6bcf45f136
3 changed files with 20 additions and 9 deletions
|
@ -44,7 +44,7 @@ func (h *headerRewriter) Rewrite(req *http.Request) {
|
|||
|
||||
err := h.ips.IsAuthorized(req)
|
||||
if err != nil {
|
||||
log.Error(err)
|
||||
log.Debug(err)
|
||||
h.secureRewriter.Rewrite(req)
|
||||
return
|
||||
}
|
||||
|
|
|
@ -61,7 +61,9 @@ func (ip *IP) IsAuthorized(req *http.Request) error {
|
|||
xFFs := req.Header[XForwardedFor]
|
||||
if len(xFFs) > 0 {
|
||||
for _, xFF := range xFFs {
|
||||
ok, err := ip.contains(parseHost(xFF))
|
||||
xffs := strings.Split(xFF, ",")
|
||||
for _, xff := range xffs {
|
||||
ok, err := ip.contains(parseHost(xff))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -70,7 +72,8 @@ func (ip *IP) IsAuthorized(req *http.Request) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
invalidMatches = append(invalidMatches, xFF)
|
||||
invalidMatches = append(invalidMatches, xff)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -27,6 +27,14 @@ func TestIsAuthorized(t *testing.T) {
|
|||
xForwardedForValues: []string{"1.2.3.1", "10.2.3.1"},
|
||||
authorized: true,
|
||||
},
|
||||
{
|
||||
desc: "allow UseXForwardedFor, remoteAddr not in range, UseXForwardedFor in range (compact XFF)",
|
||||
whiteList: []string{"1.2.3.4/24"},
|
||||
allowXForwardedFor: true,
|
||||
remoteAddr: "10.2.3.1:123",
|
||||
xForwardedForValues: []string{"1.2.3.1, 10.2.3.1"},
|
||||
authorized: true,
|
||||
},
|
||||
{
|
||||
desc: "allow UseXForwardedFor, remoteAddr in range, UseXForwardedFor in range",
|
||||
whiteList: []string{"1.2.3.4/24"},
|
||||
|
|
Loading…
Reference in a new issue