mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-22 16:46:53 +01:00
matchers: Drop forwarded
option from remote_ip
matcher (#6085)
This commit is contained in:
parent
bde46211e3
commit
8c2a72ad07
2 changed files with 3 additions and 43 deletions
|
@ -373,22 +373,6 @@ eqp31wM9il1n+guTNyxJd+FzVAH+hCZE5K+tCgVDdVFUlDEHHbS/wqb2PSIoouLV
|
||||||
urlTarget: "https://example.com/foo",
|
urlTarget: "https://example.com/foo",
|
||||||
wantResult: true,
|
wantResult: true,
|
||||||
},
|
},
|
||||||
{
|
|
||||||
name: "remote_ip forwarded (MatchRemoteIP)",
|
|
||||||
expression: &MatchExpression{
|
|
||||||
Expr: `remote_ip('forwarded', '192.0.2.1')`,
|
|
||||||
},
|
|
||||||
urlTarget: "https://example.com/foo",
|
|
||||||
wantResult: true,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "remote_ip forwarded not first (MatchRemoteIP)",
|
|
||||||
expression: &MatchExpression{
|
|
||||||
Expr: `remote_ip('192.0.2.1', 'forwarded')`,
|
|
||||||
},
|
|
||||||
urlTarget: "https://example.com/foo",
|
|
||||||
wantErr: true,
|
|
||||||
},
|
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -37,13 +37,6 @@ type MatchRemoteIP struct {
|
||||||
// The IPs or CIDR ranges to match.
|
// The IPs or CIDR ranges to match.
|
||||||
Ranges []string `json:"ranges,omitempty"`
|
Ranges []string `json:"ranges,omitempty"`
|
||||||
|
|
||||||
// If true, prefer the first IP in the request's X-Forwarded-For
|
|
||||||
// header, if present, rather than the immediate peer's IP, as
|
|
||||||
// the reference IP against which to match. Note that it is easy
|
|
||||||
// to spoof request headers. Default: false
|
|
||||||
// DEPRECATED: This is insecure, MatchClientIP should be used instead.
|
|
||||||
Forwarded bool `json:"forwarded,omitempty"`
|
|
||||||
|
|
||||||
// cidrs and zones vars should aligned always in the same
|
// cidrs and zones vars should aligned always in the same
|
||||||
// length and indexes for matching later
|
// length and indexes for matching later
|
||||||
cidrs []*netip.Prefix
|
cidrs []*netip.Prefix
|
||||||
|
@ -82,11 +75,7 @@ func (m *MatchRemoteIP) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
|
||||||
d.Next() // consume matcher name
|
d.Next() // consume matcher name
|
||||||
for d.NextArg() {
|
for d.NextArg() {
|
||||||
if d.Val() == "forwarded" {
|
if d.Val() == "forwarded" {
|
||||||
if len(m.Ranges) > 0 {
|
return d.Err("the 'forwarded' option is no longer supported; use the 'client_ip' matcher instead")
|
||||||
return d.Err("if used, 'forwarded' must be first argument")
|
|
||||||
}
|
|
||||||
m.Forwarded = true
|
|
||||||
continue
|
|
||||||
}
|
}
|
||||||
if d.Val() == "private_ranges" {
|
if d.Val() == "private_ranges" {
|
||||||
m.Ranges = append(m.Ranges, PrivateRangesCIDR()...)
|
m.Ranges = append(m.Ranges, PrivateRangesCIDR()...)
|
||||||
|
@ -105,7 +94,7 @@ func (m *MatchRemoteIP) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
|
||||||
//
|
//
|
||||||
// Example:
|
// Example:
|
||||||
//
|
//
|
||||||
// expression remote_ip('forwarded', '192.168.0.0/16', '172.16.0.0/12', '10.0.0.0/8')
|
// expression remote_ip('192.168.0.0/16', '172.16.0.0/12', '10.0.0.0/8')
|
||||||
func (MatchRemoteIP) CELLibrary(ctx caddy.Context) (cel.Library, error) {
|
func (MatchRemoteIP) CELLibrary(ctx caddy.Context) (cel.Library, error) {
|
||||||
return CELMatcherImpl(
|
return CELMatcherImpl(
|
||||||
// name of the macro, this is the function name that users see when writing expressions.
|
// name of the macro, this is the function name that users see when writing expressions.
|
||||||
|
@ -126,11 +115,7 @@ func (MatchRemoteIP) CELLibrary(ctx caddy.Context) (cel.Library, error) {
|
||||||
|
|
||||||
for _, input := range strList.([]string) {
|
for _, input := range strList.([]string) {
|
||||||
if input == "forwarded" {
|
if input == "forwarded" {
|
||||||
if len(m.Ranges) > 0 {
|
return nil, errors.New("the 'forwarded' option is no longer supported; use the 'client_ip' matcher instead")
|
||||||
return nil, errors.New("if used, 'forwarded' must be first argument")
|
|
||||||
}
|
|
||||||
m.Forwarded = true
|
|
||||||
continue
|
|
||||||
}
|
}
|
||||||
m.Ranges = append(m.Ranges, input)
|
m.Ranges = append(m.Ranges, input)
|
||||||
}
|
}
|
||||||
|
@ -151,21 +136,12 @@ func (m *MatchRemoteIP) Provision(ctx caddy.Context) error {
|
||||||
m.cidrs = cidrs
|
m.cidrs = cidrs
|
||||||
m.zones = zones
|
m.zones = zones
|
||||||
|
|
||||||
if m.Forwarded {
|
|
||||||
m.logger.Warn("remote_ip's forwarded mode is deprecated; use the 'client_ip' matcher instead")
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Match returns true if r matches m.
|
// Match returns true if r matches m.
|
||||||
func (m MatchRemoteIP) Match(r *http.Request) bool {
|
func (m MatchRemoteIP) Match(r *http.Request) bool {
|
||||||
address := r.RemoteAddr
|
address := r.RemoteAddr
|
||||||
if m.Forwarded {
|
|
||||||
if fwdFor := r.Header.Get("X-Forwarded-For"); fwdFor != "" {
|
|
||||||
address = strings.TrimSpace(strings.Split(fwdFor, ",")[0])
|
|
||||||
}
|
|
||||||
}
|
|
||||||
clientIP, zoneID, err := parseIPZoneFromString(address)
|
clientIP, zoneID, err := parseIPZoneFromString(address)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
m.logger.Error("getting remote IP", zap.Error(err))
|
m.logger.Error("getting remote IP", zap.Error(err))
|
||||||
|
|
Loading…
Reference in a new issue