prosody
dff1aebd0f2b
plugins/mod_http.lua
Software / code / prosody
Comparison
plugins/mod_http.lua @ 10923:dff1aebd0f2b
mod_http: Support CIDR for trusted proxies.
| author | Boris Grozev <boris@jitsi.org> |
|---|---|
| date | Wed, 10 Jun 2020 13:15:57 -0500 |
| parent | 10841:22f783d80eec |
| child | 11021:9673c95895fb |
comparison
equal
deleted
inserted
replaced
| 10922:7d3dbb9eb3eb | 10923:dff1aebd0f2b |
|---|---|
| 15 local moduleapi = require "core.moduleapi"; | 15 local moduleapi = require "core.moduleapi"; |
| 16 local url_parse = require "socket.url".parse; | 16 local url_parse = require "socket.url".parse; |
| 17 local url_build = require "socket.url".build; | 17 local url_build = require "socket.url".build; |
| 18 local normalize_path = require "util.http".normalize_path; | 18 local normalize_path = require "util.http".normalize_path; |
| 19 local set = require "util.set"; | 19 local set = require "util.set"; |
| 20 | |
| 21 local ip_util = require "util.ip"; | |
| 22 local new_ip = ip_util.new_ip; | |
| 23 local match_ip = ip_util.match; | |
| 24 local parse_cidr = ip_util.parse_cidr; | |
| 20 | 25 |
| 21 local server = require "net.http.server"; | 26 local server = require "net.http.server"; |
| 22 | 27 |
| 23 server.set_default_host(module:get_option_string("http_default_host")); | 28 server.set_default_host(module:get_option_string("http_default_host")); |
| 24 | 29 |
| 202 | 207 |
| 203 module.add_host(module); -- set up handling on global context too | 208 module.add_host(module); -- set up handling on global context too |
| 204 | 209 |
| 205 local trusted_proxies = module:get_option_set("trusted_proxies", { "127.0.0.1", "::1" })._items; | 210 local trusted_proxies = module:get_option_set("trusted_proxies", { "127.0.0.1", "::1" })._items; |
| 206 | 211 |
| 212 local function is_trusted_proxy(ip) | |
| 213 local parsed_ip = new_ip(ip) | |
| 214 for trusted_proxy in trusted_proxies do | |
| 215 if match_ip(parsed_ip, parse_cidr(trusted_proxy)) then | |
| 216 return true; | |
| 217 end | |
| 218 end | |
| 219 return false | |
| 220 end | |
| 221 | |
| 207 local function get_ip_from_request(request) | 222 local function get_ip_from_request(request) |
| 208 local ip = request.conn:ip(); | 223 local ip = request.conn:ip(); |
| 209 local forwarded_for = request.headers.x_forwarded_for; | 224 local forwarded_for = request.headers.x_forwarded_for; |
| 210 if forwarded_for then | 225 if forwarded_for then |
| 211 -- luacheck: ignore 631 | 226 -- luacheck: ignore 631 |
| 216 -- Case b) The original request IP is in trusted proxies. In that case, the if branch in the for loop will skip the last IP, causing it to be ignored. The second-to-last IP will be taken instead. | 231 -- Case b) The original request IP is in trusted proxies. In that case, the if branch in the for loop will skip the last IP, causing it to be ignored. The second-to-last IP will be taken instead. |
| 217 -- Case c) If the second-to-last IP is also a trusted proxy, it will also be ignored, iteratively, up to the last IP which isn’t in trusted proxies. | 232 -- Case c) If the second-to-last IP is also a trusted proxy, it will also be ignored, iteratively, up to the last IP which isn’t in trusted proxies. |
| 218 -- Case d) If all IPs are in trusted proxies, something went obviously wrong and the logic never overwrites `ip`, leaving it at the original request IP. | 233 -- Case d) If all IPs are in trusted proxies, something went obviously wrong and the logic never overwrites `ip`, leaving it at the original request IP. |
| 219 forwarded_for = forwarded_for..", "..ip; | 234 forwarded_for = forwarded_for..", "..ip; |
| 220 for forwarded_ip in forwarded_for:gmatch("[^%s,]+") do | 235 for forwarded_ip in forwarded_for:gmatch("[^%s,]+") do |
| 221 if not trusted_proxies[forwarded_ip] then | 236 if not is_trusted_proxy(forwarded_ip) then |
| 222 ip = forwarded_ip; | 237 ip = forwarded_ip; |
| 223 end | 238 end |
| 224 end | 239 end |
| 225 end | 240 end |
| 226 return ip; | 241 return ip; |
