prosody
1b6298e7b550
plugins/mod_http.lua
Software / code / prosody
Comparison
plugins/mod_http.lua @ 11408:1b6298e7b550
Merge 0.11->trunk
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 27 Feb 2021 21:07:36 +0100 |
| parent | 11400:19a59cb7311e |
| parent | 11407:8d6e013377fa |
| child | 11409:d30c44a829c1 |
comparison
equal
deleted
inserted
replaced
| 11406:9d6545a7d483 | 11408:1b6298e7b550 |
|---|---|
| 260 end | 260 end |
| 261 | 261 |
| 262 local function get_ip_from_request(request) | 262 local function get_ip_from_request(request) |
| 263 local ip = request.conn:ip(); | 263 local ip = request.conn:ip(); |
| 264 local forwarded_for = request.headers.x_forwarded_for; | 264 local forwarded_for = request.headers.x_forwarded_for; |
| 265 if forwarded_for then | 265 if forwarded_for and is_trusted_proxy(ip) then |
| 266 -- luacheck: ignore 631 | 266 -- luacheck: ignore 631 |
| 267 -- This logic looks weird at first, but it makes sense. | 267 -- This logic looks weird at first, but it makes sense. |
| 268 -- The for loop will take the last non-trusted-proxy IP from `forwarded_for`. | 268 -- The for loop will take the last non-trusted-proxy IP from `forwarded_for`. |
| 269 -- We append the original request IP to the header. Then, since the last IP wins, there are two cases: | 269 -- We append the original request IP to the header. Then, since the last IP wins, there are two cases: |
| 270 -- Case a) The original request IP is *not* in trusted proxies, in which case the X-Forwarded-For header will, effectively, be ineffective; the original request IP will win because it overrides any other IP in the header. | 270 -- Case a) The original request IP is *not* in trusted proxies, in which case the X-Forwarded-For header will, effectively, be ineffective; the original request IP will win because it overrides any other IP in the header. |
| 281 return ip; | 281 return ip; |
| 282 end | 282 end |
| 283 | 283 |
| 284 module:wrap_object_event(server._events, false, function (handlers, event_name, event_data) | 284 module:wrap_object_event(server._events, false, function (handlers, event_name, event_data) |
| 285 local request = event_data.request; | 285 local request = event_data.request; |
| 286 if request and is_trusted_proxy(request.conn:ip()) then | 286 if request then |
| 287 -- Not included in eg http-error events | 287 -- Not included in eg http-error events |
| 288 request.ip = get_ip_from_request(request); | 288 request.ip = get_ip_from_request(request); |
| 289 | 289 |
| 290 if not request.secure and request.headers.x_forwarded_proto == "https" then | 290 if not request.secure and request.headers.x_forwarded_proto == "https" and is_trusted_proxy(request.conn:ip()) then |
| 291 request.secure = true; | 291 request.secure = true; |
| 292 end | 292 end |
| 293 end | 293 end |
| 294 return handlers(event_name, event_data); | 294 return handlers(event_name, event_data); |
| 295 end); | 295 end); |
