caddyhttp: Pluggable trusted proxy IP range sources (#5328)

* caddyhttp: Pluggable trusted proxy IP range sources * Add request to the IPRangeSource interface
2024-12-26 21:53:48 +03:00 · 2023-02-06 14:44:11 -05:00 · 2023-02-06 14:44:11 -05:00 · 12bcbe2c49
commit 12bcbe2c49
parent f6f1d8fc89
6 changed files with 188 additions and 55 deletions
--- a/caddyconfig/httpcaddyfile/serveroptions.go
+++ b/caddyconfig/httpcaddyfile/serveroptions.go
@ -43,7 +43,7 @@ type serverOptions struct {
 	MaxHeaderBytes       int
 	Protocols            []string
 	StrictSNIHost        *bool
-	TrustedProxies       []string
+	TrustedProxiesRaw    json.RawMessage
 	ShouldLogCredentials bool
 	Metrics              *caddyhttp.Metrics
 }
@ -188,13 +188,25 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 				serverOpts.StrictSNIHost = &boolVal
 			case "trusted_proxies":
-				for d.NextArg() {
+				if !d.NextArg() {
-					if d.Val() == "private_ranges" {
+					return nil, d.Err("trusted_proxies expects an IP range source module name as its first argument")
 						serverOpts.TrustedProxies = append(serverOpts.TrustedProxies, caddyhttp.PrivateRangesCIDR()...)
 						continue
 					}
 					serverOpts.TrustedProxies = append(serverOpts.TrustedProxies, d.Val())
 				}
 				modID := "http.ip_sources." + d.Val()
 				unm, err := caddyfile.UnmarshalModule(d, modID)
 				if err != nil {
 					return nil, err
 				}
 				source, ok := unm.(caddyhttp.IPRangeSource)
 				if !ok {
 					return nil, fmt.Errorf("module %s (%T) is not an IP range source", modID, unm)
 				}
 				jsonSource := caddyconfig.JSONModuleObject(
 					source,
 					"source",
 					source.(caddy.Module).CaddyModule().ID.Name(),
 					nil,
 				)
 				serverOpts.TrustedProxiesRaw = jsonSource
 			case "metrics":
 				if d.NextArg() {
@ -304,7 +316,7 @@ func applyServerOptions(
 		server.MaxHeaderBytes = opts.MaxHeaderBytes
 		server.Protocols = opts.Protocols
 		server.StrictSNIHost = opts.StrictSNIHost
-		server.TrustedProxies = opts.TrustedProxies
+		server.TrustedProxiesRaw = opts.TrustedProxiesRaw
 		server.Metrics = opts.Metrics
 		if opts.ShouldLogCredentials {
 			if server.Logs == nil {
--- a/caddytest/integration/caddyfile_adapt/global_server_options_single.txt
+++ b/caddytest/integration/caddyfile_adapt/global_server_options_single.txt
@ -14,7 +14,7 @@
 		log_credentials
 		protocols h1 h2 h2c h3
 		strict_sni_host
-		trusted_proxies private_ranges
+		trusted_proxies static private_ranges
 	}
 }
@ -56,14 +56,17 @@ foo.com {
 						}
 					],
 					"strict_sni_host": true,
-					"trusted_proxies": [
+					"trusted_proxies": {
-						"192.168.0.0/16",
+						"ranges": [
-						"172.16.0.0/12",
+							"192.168.0.0/16",
-						"10.0.0.0/8",
+							"172.16.0.0/12",
-						"127.0.0.1/8",
+							"10.0.0.0/8",
-						"fd00::/8",
+							"127.0.0.1/8",
-						"::1"
+							"fd00::/8",
-					],
+							"::1"
 						],
 						"source": "static"
 					},
 					"logs": {
 						"should_log_credentials": true
 					},
--- a/caddytest/integration/caddyfile_adapt/reverse_proxy_options.txt
+++ b/caddytest/integration/caddyfile_adapt/reverse_proxy_options.txt
@ -1,4 +1,3 @@
 https://example.com {
 	reverse_proxy /path https://localhost:54321 {
 		header_up Host {upstream_hostport}
@ -24,13 +23,12 @@ https://example.com {
 			max_conns_per_host 5
 			keepalive_idle_conns_per_host 2
 			keepalive_interval 30s
-			
+
 			tls_renegotiation freely
 			tls_except_ports 8181 8182
 		}
 	}
 }
 ----------
 {
 	"apps": {
--- a/modules/caddyhttp/app.go
+++ b/modules/caddyhttp/app.go
@ -20,9 +20,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
 	"net/netip"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
@ -224,22 +222,13 @@ func (app *App) Provision(ctx caddy.Context) error {
 			srv.StrictSNIHost = &trueBool
 		}
-		// parse trusted proxy CIDRs ahead of time
+		// set up the trusted proxies source
-		for _, str := range srv.TrustedProxies {
+		for srv.TrustedProxiesRaw != nil {
-			if strings.Contains(str, "/") {
+			val, err := ctx.LoadModule(srv, "TrustedProxiesRaw")
-				ipNet, err := netip.ParsePrefix(str)
+			if err != nil {
-				if err != nil {
+				return fmt.Errorf("loading trusted proxies modules: %v", err)
 					return fmt.Errorf("parsing CIDR expression: '%s': %v", str, err)
 				}
 				srv.trustedProxies = append(srv.trustedProxies, ipNet)
 			} else {
 				ipAddr, err := netip.ParseAddr(str)
 				if err != nil {
 					return fmt.Errorf("invalid IP address: '%s': %v", str, err)
 				}
 				ipNew := netip.PrefixFrom(ipAddr, ipAddr.BitLen())
 				srv.trustedProxies = append(srv.trustedProxies, ipNew)
 			}
 			srv.trustedProxies = val.(IPRangeSource)
 		}
 		// process each listener address
--- a/modules/caddyhttp/ip_range.go
+++ b/modules/caddyhttp/ip_range.go
@ -0,0 +1,142 @@
 // Copyright 2015 Matthew Holt and The Caddy Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package caddyhttp
 import (
 	"fmt"
 	"net/http"
 	"net/netip"
 	"strings"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 )
 func init() {
 	caddy.RegisterModule(StaticIPRange{})
 }
 // IPRangeSource gets a list of IP ranges.
 //
 // The request is passed as an argument to allow plugin implementations
 // to have more flexibility. But, a plugin MUST NOT modify the request.
 // The caller will have read the `r.RemoteAddr` before getting IP ranges.
 //
 // This should be a very fast function -- instant if possible.
 // The list of IP ranges should be sourced as soon as possible if loaded
 // from an external source (i.e. initially loaded during Provisioning),
 // so that it's ready to be used when requests start getting handled.
 // A read lock should probably be used to get the cached value if the
 // ranges can change at runtime (e.g. periodically refreshed).
 // Using a `caddy.UsagePool` may be a good idea to avoid having refetch
 // the values when a config reload occurs, which would waste time.
 //
 // If the list of IP ranges cannot be sourced, then provisioning SHOULD
 // fail. Getting the IP ranges at runtime MUST NOT fail, because it would
 // cancel incoming requests. If refreshing the list fails, then the
 // previous list of IP ranges should continue to be returned so that the
 // server can continue to operate normally.
 type IPRangeSource interface {
 	GetIPRanges(*http.Request) []netip.Prefix
 }
 // StaticIPRange provides a static range of IP address prefixes (CIDRs).
 type StaticIPRange struct {
 	// A static list of IP ranges (supports CIDR notation).
 	Ranges []string `json:"ranges,omitempty"`
 	// Holds the parsed CIDR ranges from Ranges.
 	ranges []netip.Prefix
 }
 // CaddyModule returns the Caddy module information.
 func (StaticIPRange) CaddyModule() caddy.ModuleInfo {
 	return caddy.ModuleInfo{
 		ID:  "http.ip_sources.static",
 		New: func() caddy.Module { return new(StaticIPRange) },
 	}
 }
 func (s *StaticIPRange) Provision(ctx caddy.Context) error {
 	for _, str := range s.Ranges {
 		prefix, err := CIDRExpressionToPrefix(str)
 		if err != nil {
 			return err
 		}
 		s.ranges = append(s.ranges, prefix)
 	}
 	return nil
 }
 func (s *StaticIPRange) GetIPRanges(_ *http.Request) []netip.Prefix {
 	return s.ranges
 }
 // UnmarshalCaddyfile implements caddyfile.Unmarshaler.
 func (m *StaticIPRange) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 	if !d.Next() {
 		return nil
 	}
 	for d.NextArg() {
 		if d.Val() == "private_ranges" {
 			m.Ranges = append(m.Ranges, PrivateRangesCIDR()...)
 			continue
 		}
 		m.Ranges = append(m.Ranges, d.Val())
 	}
 	return nil
 }
 // CIDRExpressionToPrefix takes a string which could be either a
 // CIDR expression or a single IP address, and returns a netip.Prefix.
 func CIDRExpressionToPrefix(expr string) (netip.Prefix, error) {
 	// Having a slash means it should be a CIDR expression
 	if strings.Contains(expr, "/") {
 		prefix, err := netip.ParsePrefix(expr)
 		if err != nil {
 			return netip.Prefix{}, fmt.Errorf("parsing CIDR expression: '%s': %v", expr, err)
 		}
 		return prefix, nil
 	}
 	// Otherwise it's likely a single IP address
 	parsed, err := netip.ParseAddr(expr)
 	if err != nil {
 		return netip.Prefix{}, fmt.Errorf("invalid IP address: '%s': %v", expr, err)
 	}
 	prefix := netip.PrefixFrom(parsed, parsed.BitLen())
 	return prefix, nil
 }
 // PrivateRangesCIDR returns a list of private CIDR range
 // strings, which can be used as a configuration shortcut.
 func PrivateRangesCIDR() []string {
 	return []string{
 		"192.168.0.0/16",
 		"172.16.0.0/12",
 		"10.0.0.0/8",
 		"127.0.0.1/8",
 		"fd00::/8",
 		"::1",
 	}
 }
 // Interface guards
 var (
 	_ caddy.Provisioner     = (*StaticIPRange)(nil)
 	_ caddyfile.Unmarshaler = (*StaticIPRange)(nil)
 	_ IPRangeSource         = (*StaticIPRange)(nil)
 )
--- a/modules/caddyhttp/server.go
+++ b/modules/caddyhttp/server.go
@ -118,7 +118,7 @@ type Server struct {
 	// client authentication.
 	StrictSNIHost *bool `json:"strict_sni_host,omitempty"`
-	// A list of IP ranges (supports CIDR notation) from which
+	// A module which provides a source of IP ranges, from which
 	// requests should be trusted. By default, no proxies are
 	// trusted.
 	//
@ -128,7 +128,7 @@ type Server struct {
 	// of needing to configure each of them. See the
 	// `reverse_proxy` handler for example, which uses this
 	// to trust sensitive incoming `X-Forwarded-*` headers.
-	TrustedProxies []string `json:"trusted_proxies,omitempty"`
+	TrustedProxiesRaw json.RawMessage `json:"trusted_proxies,omitempty" caddy:"namespace=http.ip_sources inline_key=source"`
 	// Enables access logging and configures how access logs are handled
 	// in this server. To minimally enable access logs, simply set this
@ -188,8 +188,7 @@ type Server struct {
 	h3listeners []net.PacketConn // TODO: we have to hold these because quic-go won't close listeners it didn't create
 	addresses   []caddy.NetworkAddress
-	// Holds the parsed CIDR ranges from TrustedProxies
+	trustedProxies IPRangeSource
 	trustedProxies []netip.Prefix
 	shutdownAt   time.Time
 	shutdownAtMu *sync.RWMutex
@ -751,7 +750,10 @@ func determineTrustedProxy(r *http.Request, s *Server) bool {
 	}
 	// Check if the client is a trusted proxy
-	for _, ipRange := range s.trustedProxies {
+	if s.trustedProxies == nil {
 		return false
 	}
 	for _, ipRange := range s.trustedProxies.GetIPRanges(r) {
 		if ipRange.Contains(ipAddr) {
 			return true
 		}
@ -771,19 +773,6 @@ func cloneURL(from, to *url.URL) {
 	}
 }
 // PrivateRangesCIDR returns a list of private CIDR range
 // strings, which can be used as a configuration shortcut.
 func PrivateRangesCIDR() []string {
 	return []string{
 		"192.168.0.0/16",
 		"172.16.0.0/12",
 		"10.0.0.0/8",
 		"127.0.0.1/8",
 		"fd00::/8",
 		"::1",
 	}
 }
 // Context keys for HTTP request context values.
 const (
 	// For referencing the server instance