caddyhttp: Pluggable trusted proxy IP range sources (#5328)

* caddyhttp: Pluggable trusted proxy IP range sources

* Add request to the IPRangeSource interface
This commit is contained in:
Francis Lavoie 2023-02-06 14:44:11 -05:00 committed by GitHub
parent f6f1d8fc89
commit 12bcbe2c49
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 188 additions and 55 deletions

View file

@ -43,7 +43,7 @@ type serverOptions struct {
MaxHeaderBytes int MaxHeaderBytes int
Protocols []string Protocols []string
StrictSNIHost *bool StrictSNIHost *bool
TrustedProxies []string TrustedProxiesRaw json.RawMessage
ShouldLogCredentials bool ShouldLogCredentials bool
Metrics *caddyhttp.Metrics Metrics *caddyhttp.Metrics
} }
@ -188,13 +188,25 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
serverOpts.StrictSNIHost = &boolVal serverOpts.StrictSNIHost = &boolVal
case "trusted_proxies": case "trusted_proxies":
for d.NextArg() { if !d.NextArg() {
if d.Val() == "private_ranges" { return nil, d.Err("trusted_proxies expects an IP range source module name as its first argument")
serverOpts.TrustedProxies = append(serverOpts.TrustedProxies, caddyhttp.PrivateRangesCIDR()...)
continue
} }
serverOpts.TrustedProxies = append(serverOpts.TrustedProxies, d.Val()) modID := "http.ip_sources." + d.Val()
unm, err := caddyfile.UnmarshalModule(d, modID)
if err != nil {
return nil, err
} }
source, ok := unm.(caddyhttp.IPRangeSource)
if !ok {
return nil, fmt.Errorf("module %s (%T) is not an IP range source", modID, unm)
}
jsonSource := caddyconfig.JSONModuleObject(
source,
"source",
source.(caddy.Module).CaddyModule().ID.Name(),
nil,
)
serverOpts.TrustedProxiesRaw = jsonSource
case "metrics": case "metrics":
if d.NextArg() { if d.NextArg() {
@ -304,7 +316,7 @@ func applyServerOptions(
server.MaxHeaderBytes = opts.MaxHeaderBytes server.MaxHeaderBytes = opts.MaxHeaderBytes
server.Protocols = opts.Protocols server.Protocols = opts.Protocols
server.StrictSNIHost = opts.StrictSNIHost server.StrictSNIHost = opts.StrictSNIHost
server.TrustedProxies = opts.TrustedProxies server.TrustedProxiesRaw = opts.TrustedProxiesRaw
server.Metrics = opts.Metrics server.Metrics = opts.Metrics
if opts.ShouldLogCredentials { if opts.ShouldLogCredentials {
if server.Logs == nil { if server.Logs == nil {

View file

@ -14,7 +14,7 @@
log_credentials log_credentials
protocols h1 h2 h2c h3 protocols h1 h2 h2c h3
strict_sni_host strict_sni_host
trusted_proxies private_ranges trusted_proxies static private_ranges
} }
} }
@ -56,7 +56,8 @@ foo.com {
} }
], ],
"strict_sni_host": true, "strict_sni_host": true,
"trusted_proxies": [ "trusted_proxies": {
"ranges": [
"192.168.0.0/16", "192.168.0.0/16",
"172.16.0.0/12", "172.16.0.0/12",
"10.0.0.0/8", "10.0.0.0/8",
@ -64,6 +65,8 @@ foo.com {
"fd00::/8", "fd00::/8",
"::1" "::1"
], ],
"source": "static"
},
"logs": { "logs": {
"should_log_credentials": true "should_log_credentials": true
}, },

View file

@ -1,4 +1,3 @@
https://example.com { https://example.com {
reverse_proxy /path https://localhost:54321 { reverse_proxy /path https://localhost:54321 {
header_up Host {upstream_hostport} header_up Host {upstream_hostport}
@ -30,7 +29,6 @@ https://example.com {
} }
} }
} }
---------- ----------
{ {
"apps": { "apps": {

View file

@ -20,9 +20,7 @@ import (
"fmt" "fmt"
"net" "net"
"net/http" "net/http"
"net/netip"
"strconv" "strconv"
"strings"
"sync" "sync"
"time" "time"
@ -224,22 +222,13 @@ func (app *App) Provision(ctx caddy.Context) error {
srv.StrictSNIHost = &trueBool srv.StrictSNIHost = &trueBool
} }
// parse trusted proxy CIDRs ahead of time // set up the trusted proxies source
for _, str := range srv.TrustedProxies { for srv.TrustedProxiesRaw != nil {
if strings.Contains(str, "/") { val, err := ctx.LoadModule(srv, "TrustedProxiesRaw")
ipNet, err := netip.ParsePrefix(str)
if err != nil { if err != nil {
return fmt.Errorf("parsing CIDR expression: '%s': %v", str, err) return fmt.Errorf("loading trusted proxies modules: %v", err)
}
srv.trustedProxies = append(srv.trustedProxies, ipNet)
} else {
ipAddr, err := netip.ParseAddr(str)
if err != nil {
return fmt.Errorf("invalid IP address: '%s': %v", str, err)
}
ipNew := netip.PrefixFrom(ipAddr, ipAddr.BitLen())
srv.trustedProxies = append(srv.trustedProxies, ipNew)
} }
srv.trustedProxies = val.(IPRangeSource)
} }
// process each listener address // process each listener address

View file

@ -0,0 +1,142 @@
// Copyright 2015 Matthew Holt and The Caddy Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package caddyhttp
import (
"fmt"
"net/http"
"net/netip"
"strings"
"github.com/caddyserver/caddy/v2"
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
)
func init() {
caddy.RegisterModule(StaticIPRange{})
}
// IPRangeSource gets a list of IP ranges.
//
// The request is passed as an argument to allow plugin implementations
// to have more flexibility. But, a plugin MUST NOT modify the request.
// The caller will have read the `r.RemoteAddr` before getting IP ranges.
//
// This should be a very fast function -- instant if possible.
// The list of IP ranges should be sourced as soon as possible if loaded
// from an external source (i.e. initially loaded during Provisioning),
// so that it's ready to be used when requests start getting handled.
// A read lock should probably be used to get the cached value if the
// ranges can change at runtime (e.g. periodically refreshed).
// Using a `caddy.UsagePool` may be a good idea to avoid having refetch
// the values when a config reload occurs, which would waste time.
//
// If the list of IP ranges cannot be sourced, then provisioning SHOULD
// fail. Getting the IP ranges at runtime MUST NOT fail, because it would
// cancel incoming requests. If refreshing the list fails, then the
// previous list of IP ranges should continue to be returned so that the
// server can continue to operate normally.
type IPRangeSource interface {
GetIPRanges(*http.Request) []netip.Prefix
}
// StaticIPRange provides a static range of IP address prefixes (CIDRs).
type StaticIPRange struct {
// A static list of IP ranges (supports CIDR notation).
Ranges []string `json:"ranges,omitempty"`
// Holds the parsed CIDR ranges from Ranges.
ranges []netip.Prefix
}
// CaddyModule returns the Caddy module information.
func (StaticIPRange) CaddyModule() caddy.ModuleInfo {
return caddy.ModuleInfo{
ID: "http.ip_sources.static",
New: func() caddy.Module { return new(StaticIPRange) },
}
}
func (s *StaticIPRange) Provision(ctx caddy.Context) error {
for _, str := range s.Ranges {
prefix, err := CIDRExpressionToPrefix(str)
if err != nil {
return err
}
s.ranges = append(s.ranges, prefix)
}
return nil
}
func (s *StaticIPRange) GetIPRanges(_ *http.Request) []netip.Prefix {
return s.ranges
}
// UnmarshalCaddyfile implements caddyfile.Unmarshaler.
func (m *StaticIPRange) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
if !d.Next() {
return nil
}
for d.NextArg() {
if d.Val() == "private_ranges" {
m.Ranges = append(m.Ranges, PrivateRangesCIDR()...)
continue
}
m.Ranges = append(m.Ranges, d.Val())
}
return nil
}
// CIDRExpressionToPrefix takes a string which could be either a
// CIDR expression or a single IP address, and returns a netip.Prefix.
func CIDRExpressionToPrefix(expr string) (netip.Prefix, error) {
// Having a slash means it should be a CIDR expression
if strings.Contains(expr, "/") {
prefix, err := netip.ParsePrefix(expr)
if err != nil {
return netip.Prefix{}, fmt.Errorf("parsing CIDR expression: '%s': %v", expr, err)
}
return prefix, nil
}
// Otherwise it's likely a single IP address
parsed, err := netip.ParseAddr(expr)
if err != nil {
return netip.Prefix{}, fmt.Errorf("invalid IP address: '%s': %v", expr, err)
}
prefix := netip.PrefixFrom(parsed, parsed.BitLen())
return prefix, nil
}
// PrivateRangesCIDR returns a list of private CIDR range
// strings, which can be used as a configuration shortcut.
func PrivateRangesCIDR() []string {
return []string{
"192.168.0.0/16",
"172.16.0.0/12",
"10.0.0.0/8",
"127.0.0.1/8",
"fd00::/8",
"::1",
}
}
// Interface guards
var (
_ caddy.Provisioner = (*StaticIPRange)(nil)
_ caddyfile.Unmarshaler = (*StaticIPRange)(nil)
_ IPRangeSource = (*StaticIPRange)(nil)
)

View file

@ -118,7 +118,7 @@ type Server struct {
// client authentication. // client authentication.
StrictSNIHost *bool `json:"strict_sni_host,omitempty"` StrictSNIHost *bool `json:"strict_sni_host,omitempty"`
// A list of IP ranges (supports CIDR notation) from which // A module which provides a source of IP ranges, from which
// requests should be trusted. By default, no proxies are // requests should be trusted. By default, no proxies are
// trusted. // trusted.
// //
@ -128,7 +128,7 @@ type Server struct {
// of needing to configure each of them. See the // of needing to configure each of them. See the
// `reverse_proxy` handler for example, which uses this // `reverse_proxy` handler for example, which uses this
// to trust sensitive incoming `X-Forwarded-*` headers. // to trust sensitive incoming `X-Forwarded-*` headers.
TrustedProxies []string `json:"trusted_proxies,omitempty"` TrustedProxiesRaw json.RawMessage `json:"trusted_proxies,omitempty" caddy:"namespace=http.ip_sources inline_key=source"`
// Enables access logging and configures how access logs are handled // Enables access logging and configures how access logs are handled
// in this server. To minimally enable access logs, simply set this // in this server. To minimally enable access logs, simply set this
@ -188,8 +188,7 @@ type Server struct {
h3listeners []net.PacketConn // TODO: we have to hold these because quic-go won't close listeners it didn't create h3listeners []net.PacketConn // TODO: we have to hold these because quic-go won't close listeners it didn't create
addresses []caddy.NetworkAddress addresses []caddy.NetworkAddress
// Holds the parsed CIDR ranges from TrustedProxies trustedProxies IPRangeSource
trustedProxies []netip.Prefix
shutdownAt time.Time shutdownAt time.Time
shutdownAtMu *sync.RWMutex shutdownAtMu *sync.RWMutex
@ -751,7 +750,10 @@ func determineTrustedProxy(r *http.Request, s *Server) bool {
} }
// Check if the client is a trusted proxy // Check if the client is a trusted proxy
for _, ipRange := range s.trustedProxies { if s.trustedProxies == nil {
return false
}
for _, ipRange := range s.trustedProxies.GetIPRanges(r) {
if ipRange.Contains(ipAddr) { if ipRange.Contains(ipAddr) {
return true return true
} }
@ -771,19 +773,6 @@ func cloneURL(from, to *url.URL) {
} }
} }
// PrivateRangesCIDR returns a list of private CIDR range
// strings, which can be used as a configuration shortcut.
func PrivateRangesCIDR() []string {
return []string{
"192.168.0.0/16",
"172.16.0.0/12",
"10.0.0.0/8",
"127.0.0.1/8",
"fd00::/8",
"::1",
}
}
// Context keys for HTTP request context values. // Context keys for HTTP request context values.
const ( const (
// For referencing the server instance // For referencing the server instance