1
1
mirror of https://github.com/go-gitea/gitea synced 2025-01-22 15:44:27 +00:00
Lauris BH 044cd4d016
Add reverse proxy configuration support for remote IP address (#14959)
* Add reverse proxy configuration support for remote IP address validation

* Trust all IP addresses in containerized environments by default

* Use single option to specify networks and proxy IP addresses. By default trust all loopback IPs

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-03-16 00:27:28 +02:00

116 lines
3.0 KiB
Go
Vendored

// Copyright 2020 Lauris BH. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package proxy
import (
"net"
)
// ForwardedHeadersOptions represents options for forwarded header middleware
type ForwardedHeadersOptions struct {
// ForwardLimit limits the number of entries in the headers that will be processed.
// The default value is 1. Set to 0 to disable the limit.
ForwardLimit int
// TrustingAllProxies option sets to trust all proxies.
TrustingAllProxies bool
// KnownProxies represents addresses of trusted proxies.
TrustedProxies []net.IP
// TrustedNetworks represents addresses of trusted networks.
TrustedNetworks []*net.IPNet
}
var defaultOptions = &ForwardedHeadersOptions{
ForwardLimit: 1,
TrustedProxies: []net.IP{
net.IPv4(127, 0, 0, 1),
},
}
// NewForwardedHeadersOptions creates new middleware options
func NewForwardedHeadersOptions() *ForwardedHeadersOptions {
return &ForwardedHeadersOptions{
ForwardLimit: defaultOptions.ForwardLimit,
TrustedProxies: defaultOptions.TrustedProxies,
TrustedNetworks: defaultOptions.TrustedNetworks,
}
}
// WithForwardLimit sets number of entries to be processed
func (opts *ForwardedHeadersOptions) WithForwardLimit(limit int) *ForwardedHeadersOptions {
opts.ForwardLimit = limit
return opts
}
// TrustAllProxies sets to trust all proxies
func (opts *ForwardedHeadersOptions) TrustAllProxies() *ForwardedHeadersOptions {
opts.TrustingAllProxies = true
return opts
}
// ClearTrustedProxies clears trusted proxy list
func (opts *ForwardedHeadersOptions) ClearTrustedProxies() *ForwardedHeadersOptions {
opts.TrustingAllProxies = false
opts.TrustedProxies = make([]net.IP, 0)
return opts
}
// AddTrustedProxy adds proxy IP to trusted proxy list
func (opts *ForwardedHeadersOptions) AddTrustedProxy(ip string) *ForwardedHeadersOptions {
// Special option to trust all proxies if IP address is set as wildcard
if ip == "*" {
opts.TrustingAllProxies = true
return opts
}
ipaddr := net.ParseIP(ip)
if ipaddr == nil {
return opts
}
opts.TrustedProxies = append(opts.TrustedProxies, ipaddr)
return opts
}
// ClearTrustedNetworks clears trusted network list
func (opts *ForwardedHeadersOptions) ClearTrustedNetworks() *ForwardedHeadersOptions {
opts.TrustedNetworks = make([]*net.IPNet, 0)
return opts
}
// AddTrustedNetwork adds network to trusted network list
func (opts *ForwardedHeadersOptions) AddTrustedNetwork(cidr string) *ForwardedHeadersOptions {
_, netmask, err := net.ParseCIDR(cidr)
if err != nil || netmask == nil {
return opts
}
opts.TrustedNetworks = append(opts.TrustedNetworks, netmask)
return opts
}
func (opts *ForwardedHeadersOptions) isTrustedProxy(ip net.IP) bool {
if opts.TrustingAllProxies {
return true
}
if ip == nil {
return false
}
for _, tip := range opts.TrustedProxies {
if tip.Equal(ip) {
return true
}
}
for _, tnet := range opts.TrustedNetworks {
if tnet.Contains(ip) {
return true
}
}
return false
}