mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-27 14:13:48 +03:00
caddyhttp: Pluggable trusted proxy IP range sources (#5328)
* caddyhttp: Pluggable trusted proxy IP range sources * Add request to the IPRangeSource interface
This commit is contained in:
parent
f6f1d8fc89
commit
12bcbe2c49
6 changed files with 188 additions and 55 deletions
|
@ -43,7 +43,7 @@ type serverOptions struct {
|
||||||
MaxHeaderBytes int
|
MaxHeaderBytes int
|
||||||
Protocols []string
|
Protocols []string
|
||||||
StrictSNIHost *bool
|
StrictSNIHost *bool
|
||||||
TrustedProxies []string
|
TrustedProxiesRaw json.RawMessage
|
||||||
ShouldLogCredentials bool
|
ShouldLogCredentials bool
|
||||||
Metrics *caddyhttp.Metrics
|
Metrics *caddyhttp.Metrics
|
||||||
}
|
}
|
||||||
|
@ -188,13 +188,25 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
|
||||||
serverOpts.StrictSNIHost = &boolVal
|
serverOpts.StrictSNIHost = &boolVal
|
||||||
|
|
||||||
case "trusted_proxies":
|
case "trusted_proxies":
|
||||||
for d.NextArg() {
|
if !d.NextArg() {
|
||||||
if d.Val() == "private_ranges" {
|
return nil, d.Err("trusted_proxies expects an IP range source module name as its first argument")
|
||||||
serverOpts.TrustedProxies = append(serverOpts.TrustedProxies, caddyhttp.PrivateRangesCIDR()...)
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
serverOpts.TrustedProxies = append(serverOpts.TrustedProxies, d.Val())
|
|
||||||
}
|
}
|
||||||
|
modID := "http.ip_sources." + d.Val()
|
||||||
|
unm, err := caddyfile.UnmarshalModule(d, modID)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
source, ok := unm.(caddyhttp.IPRangeSource)
|
||||||
|
if !ok {
|
||||||
|
return nil, fmt.Errorf("module %s (%T) is not an IP range source", modID, unm)
|
||||||
|
}
|
||||||
|
jsonSource := caddyconfig.JSONModuleObject(
|
||||||
|
source,
|
||||||
|
"source",
|
||||||
|
source.(caddy.Module).CaddyModule().ID.Name(),
|
||||||
|
nil,
|
||||||
|
)
|
||||||
|
serverOpts.TrustedProxiesRaw = jsonSource
|
||||||
|
|
||||||
case "metrics":
|
case "metrics":
|
||||||
if d.NextArg() {
|
if d.NextArg() {
|
||||||
|
@ -304,7 +316,7 @@ func applyServerOptions(
|
||||||
server.MaxHeaderBytes = opts.MaxHeaderBytes
|
server.MaxHeaderBytes = opts.MaxHeaderBytes
|
||||||
server.Protocols = opts.Protocols
|
server.Protocols = opts.Protocols
|
||||||
server.StrictSNIHost = opts.StrictSNIHost
|
server.StrictSNIHost = opts.StrictSNIHost
|
||||||
server.TrustedProxies = opts.TrustedProxies
|
server.TrustedProxiesRaw = opts.TrustedProxiesRaw
|
||||||
server.Metrics = opts.Metrics
|
server.Metrics = opts.Metrics
|
||||||
if opts.ShouldLogCredentials {
|
if opts.ShouldLogCredentials {
|
||||||
if server.Logs == nil {
|
if server.Logs == nil {
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
log_credentials
|
log_credentials
|
||||||
protocols h1 h2 h2c h3
|
protocols h1 h2 h2c h3
|
||||||
strict_sni_host
|
strict_sni_host
|
||||||
trusted_proxies private_ranges
|
trusted_proxies static private_ranges
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -56,14 +56,17 @@ foo.com {
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"strict_sni_host": true,
|
"strict_sni_host": true,
|
||||||
"trusted_proxies": [
|
"trusted_proxies": {
|
||||||
"192.168.0.0/16",
|
"ranges": [
|
||||||
"172.16.0.0/12",
|
"192.168.0.0/16",
|
||||||
"10.0.0.0/8",
|
"172.16.0.0/12",
|
||||||
"127.0.0.1/8",
|
"10.0.0.0/8",
|
||||||
"fd00::/8",
|
"127.0.0.1/8",
|
||||||
"::1"
|
"fd00::/8",
|
||||||
],
|
"::1"
|
||||||
|
],
|
||||||
|
"source": "static"
|
||||||
|
},
|
||||||
"logs": {
|
"logs": {
|
||||||
"should_log_credentials": true
|
"should_log_credentials": true
|
||||||
},
|
},
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
|
|
||||||
https://example.com {
|
https://example.com {
|
||||||
reverse_proxy /path https://localhost:54321 {
|
reverse_proxy /path https://localhost:54321 {
|
||||||
header_up Host {upstream_hostport}
|
header_up Host {upstream_hostport}
|
||||||
|
@ -30,7 +29,6 @@ https://example.com {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
----------
|
----------
|
||||||
{
|
{
|
||||||
"apps": {
|
"apps": {
|
||||||
|
|
|
@ -20,9 +20,7 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"net"
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/netip"
|
|
||||||
"strconv"
|
"strconv"
|
||||||
"strings"
|
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
@ -224,22 +222,13 @@ func (app *App) Provision(ctx caddy.Context) error {
|
||||||
srv.StrictSNIHost = &trueBool
|
srv.StrictSNIHost = &trueBool
|
||||||
}
|
}
|
||||||
|
|
||||||
// parse trusted proxy CIDRs ahead of time
|
// set up the trusted proxies source
|
||||||
for _, str := range srv.TrustedProxies {
|
for srv.TrustedProxiesRaw != nil {
|
||||||
if strings.Contains(str, "/") {
|
val, err := ctx.LoadModule(srv, "TrustedProxiesRaw")
|
||||||
ipNet, err := netip.ParsePrefix(str)
|
if err != nil {
|
||||||
if err != nil {
|
return fmt.Errorf("loading trusted proxies modules: %v", err)
|
||||||
return fmt.Errorf("parsing CIDR expression: '%s': %v", str, err)
|
|
||||||
}
|
|
||||||
srv.trustedProxies = append(srv.trustedProxies, ipNet)
|
|
||||||
} else {
|
|
||||||
ipAddr, err := netip.ParseAddr(str)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("invalid IP address: '%s': %v", str, err)
|
|
||||||
}
|
|
||||||
ipNew := netip.PrefixFrom(ipAddr, ipAddr.BitLen())
|
|
||||||
srv.trustedProxies = append(srv.trustedProxies, ipNew)
|
|
||||||
}
|
}
|
||||||
|
srv.trustedProxies = val.(IPRangeSource)
|
||||||
}
|
}
|
||||||
|
|
||||||
// process each listener address
|
// process each listener address
|
||||||
|
|
142
modules/caddyhttp/ip_range.go
Normal file
142
modules/caddyhttp/ip_range.go
Normal file
|
@ -0,0 +1,142 @@
|
||||||
|
// Copyright 2015 Matthew Holt and The Caddy Authors
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
package caddyhttp
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
"net/netip"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/caddyserver/caddy/v2"
|
||||||
|
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
|
||||||
|
)
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
caddy.RegisterModule(StaticIPRange{})
|
||||||
|
}
|
||||||
|
|
||||||
|
// IPRangeSource gets a list of IP ranges.
|
||||||
|
//
|
||||||
|
// The request is passed as an argument to allow plugin implementations
|
||||||
|
// to have more flexibility. But, a plugin MUST NOT modify the request.
|
||||||
|
// The caller will have read the `r.RemoteAddr` before getting IP ranges.
|
||||||
|
//
|
||||||
|
// This should be a very fast function -- instant if possible.
|
||||||
|
// The list of IP ranges should be sourced as soon as possible if loaded
|
||||||
|
// from an external source (i.e. initially loaded during Provisioning),
|
||||||
|
// so that it's ready to be used when requests start getting handled.
|
||||||
|
// A read lock should probably be used to get the cached value if the
|
||||||
|
// ranges can change at runtime (e.g. periodically refreshed).
|
||||||
|
// Using a `caddy.UsagePool` may be a good idea to avoid having refetch
|
||||||
|
// the values when a config reload occurs, which would waste time.
|
||||||
|
//
|
||||||
|
// If the list of IP ranges cannot be sourced, then provisioning SHOULD
|
||||||
|
// fail. Getting the IP ranges at runtime MUST NOT fail, because it would
|
||||||
|
// cancel incoming requests. If refreshing the list fails, then the
|
||||||
|
// previous list of IP ranges should continue to be returned so that the
|
||||||
|
// server can continue to operate normally.
|
||||||
|
type IPRangeSource interface {
|
||||||
|
GetIPRanges(*http.Request) []netip.Prefix
|
||||||
|
}
|
||||||
|
|
||||||
|
// StaticIPRange provides a static range of IP address prefixes (CIDRs).
|
||||||
|
type StaticIPRange struct {
|
||||||
|
// A static list of IP ranges (supports CIDR notation).
|
||||||
|
Ranges []string `json:"ranges,omitempty"`
|
||||||
|
|
||||||
|
// Holds the parsed CIDR ranges from Ranges.
|
||||||
|
ranges []netip.Prefix
|
||||||
|
}
|
||||||
|
|
||||||
|
// CaddyModule returns the Caddy module information.
|
||||||
|
func (StaticIPRange) CaddyModule() caddy.ModuleInfo {
|
||||||
|
return caddy.ModuleInfo{
|
||||||
|
ID: "http.ip_sources.static",
|
||||||
|
New: func() caddy.Module { return new(StaticIPRange) },
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *StaticIPRange) Provision(ctx caddy.Context) error {
|
||||||
|
for _, str := range s.Ranges {
|
||||||
|
prefix, err := CIDRExpressionToPrefix(str)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
s.ranges = append(s.ranges, prefix)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *StaticIPRange) GetIPRanges(_ *http.Request) []netip.Prefix {
|
||||||
|
return s.ranges
|
||||||
|
}
|
||||||
|
|
||||||
|
// UnmarshalCaddyfile implements caddyfile.Unmarshaler.
|
||||||
|
func (m *StaticIPRange) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
|
||||||
|
if !d.Next() {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
for d.NextArg() {
|
||||||
|
if d.Val() == "private_ranges" {
|
||||||
|
m.Ranges = append(m.Ranges, PrivateRangesCIDR()...)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
m.Ranges = append(m.Ranges, d.Val())
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// CIDRExpressionToPrefix takes a string which could be either a
|
||||||
|
// CIDR expression or a single IP address, and returns a netip.Prefix.
|
||||||
|
func CIDRExpressionToPrefix(expr string) (netip.Prefix, error) {
|
||||||
|
// Having a slash means it should be a CIDR expression
|
||||||
|
if strings.Contains(expr, "/") {
|
||||||
|
prefix, err := netip.ParsePrefix(expr)
|
||||||
|
if err != nil {
|
||||||
|
return netip.Prefix{}, fmt.Errorf("parsing CIDR expression: '%s': %v", expr, err)
|
||||||
|
}
|
||||||
|
return prefix, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Otherwise it's likely a single IP address
|
||||||
|
parsed, err := netip.ParseAddr(expr)
|
||||||
|
if err != nil {
|
||||||
|
return netip.Prefix{}, fmt.Errorf("invalid IP address: '%s': %v", expr, err)
|
||||||
|
}
|
||||||
|
prefix := netip.PrefixFrom(parsed, parsed.BitLen())
|
||||||
|
return prefix, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// PrivateRangesCIDR returns a list of private CIDR range
|
||||||
|
// strings, which can be used as a configuration shortcut.
|
||||||
|
func PrivateRangesCIDR() []string {
|
||||||
|
return []string{
|
||||||
|
"192.168.0.0/16",
|
||||||
|
"172.16.0.0/12",
|
||||||
|
"10.0.0.0/8",
|
||||||
|
"127.0.0.1/8",
|
||||||
|
"fd00::/8",
|
||||||
|
"::1",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Interface guards
|
||||||
|
var (
|
||||||
|
_ caddy.Provisioner = (*StaticIPRange)(nil)
|
||||||
|
_ caddyfile.Unmarshaler = (*StaticIPRange)(nil)
|
||||||
|
_ IPRangeSource = (*StaticIPRange)(nil)
|
||||||
|
)
|
|
@ -118,7 +118,7 @@ type Server struct {
|
||||||
// client authentication.
|
// client authentication.
|
||||||
StrictSNIHost *bool `json:"strict_sni_host,omitempty"`
|
StrictSNIHost *bool `json:"strict_sni_host,omitempty"`
|
||||||
|
|
||||||
// A list of IP ranges (supports CIDR notation) from which
|
// A module which provides a source of IP ranges, from which
|
||||||
// requests should be trusted. By default, no proxies are
|
// requests should be trusted. By default, no proxies are
|
||||||
// trusted.
|
// trusted.
|
||||||
//
|
//
|
||||||
|
@ -128,7 +128,7 @@ type Server struct {
|
||||||
// of needing to configure each of them. See the
|
// of needing to configure each of them. See the
|
||||||
// `reverse_proxy` handler for example, which uses this
|
// `reverse_proxy` handler for example, which uses this
|
||||||
// to trust sensitive incoming `X-Forwarded-*` headers.
|
// to trust sensitive incoming `X-Forwarded-*` headers.
|
||||||
TrustedProxies []string `json:"trusted_proxies,omitempty"`
|
TrustedProxiesRaw json.RawMessage `json:"trusted_proxies,omitempty" caddy:"namespace=http.ip_sources inline_key=source"`
|
||||||
|
|
||||||
// Enables access logging and configures how access logs are handled
|
// Enables access logging and configures how access logs are handled
|
||||||
// in this server. To minimally enable access logs, simply set this
|
// in this server. To minimally enable access logs, simply set this
|
||||||
|
@ -188,8 +188,7 @@ type Server struct {
|
||||||
h3listeners []net.PacketConn // TODO: we have to hold these because quic-go won't close listeners it didn't create
|
h3listeners []net.PacketConn // TODO: we have to hold these because quic-go won't close listeners it didn't create
|
||||||
addresses []caddy.NetworkAddress
|
addresses []caddy.NetworkAddress
|
||||||
|
|
||||||
// Holds the parsed CIDR ranges from TrustedProxies
|
trustedProxies IPRangeSource
|
||||||
trustedProxies []netip.Prefix
|
|
||||||
|
|
||||||
shutdownAt time.Time
|
shutdownAt time.Time
|
||||||
shutdownAtMu *sync.RWMutex
|
shutdownAtMu *sync.RWMutex
|
||||||
|
@ -751,7 +750,10 @@ func determineTrustedProxy(r *http.Request, s *Server) bool {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check if the client is a trusted proxy
|
// Check if the client is a trusted proxy
|
||||||
for _, ipRange := range s.trustedProxies {
|
if s.trustedProxies == nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
for _, ipRange := range s.trustedProxies.GetIPRanges(r) {
|
||||||
if ipRange.Contains(ipAddr) {
|
if ipRange.Contains(ipAddr) {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
@ -771,19 +773,6 @@ func cloneURL(from, to *url.URL) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// PrivateRangesCIDR returns a list of private CIDR range
|
|
||||||
// strings, which can be used as a configuration shortcut.
|
|
||||||
func PrivateRangesCIDR() []string {
|
|
||||||
return []string{
|
|
||||||
"192.168.0.0/16",
|
|
||||||
"172.16.0.0/12",
|
|
||||||
"10.0.0.0/8",
|
|
||||||
"127.0.0.1/8",
|
|
||||||
"fd00::/8",
|
|
||||||
"::1",
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Context keys for HTTP request context values.
|
// Context keys for HTTP request context values.
|
||||||
const (
|
const (
|
||||||
// For referencing the server instance
|
// For referencing the server instance
|
||||||
|
|
Loading…
Reference in a new issue