matchers: Drop forwarded option from remote_ip matcher (#6085)

This commit is contained in:
Francis Lavoie 2024-02-07 10:09:29 -05:00 committed by GitHub
parent bde46211e3
commit 8c2a72ad07
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 3 additions and 43 deletions

View file

@ -373,22 +373,6 @@ eqp31wM9il1n+guTNyxJd+FzVAH+hCZE5K+tCgVDdVFUlDEHHbS/wqb2PSIoouLV
urlTarget: "https://example.com/foo", urlTarget: "https://example.com/foo",
wantResult: true, wantResult: true,
}, },
{
name: "remote_ip forwarded (MatchRemoteIP)",
expression: &MatchExpression{
Expr: `remote_ip('forwarded', '192.0.2.1')`,
},
urlTarget: "https://example.com/foo",
wantResult: true,
},
{
name: "remote_ip forwarded not first (MatchRemoteIP)",
expression: &MatchExpression{
Expr: `remote_ip('192.0.2.1', 'forwarded')`,
},
urlTarget: "https://example.com/foo",
wantErr: true,
},
} }
) )

View file

@ -37,13 +37,6 @@ type MatchRemoteIP struct {
// The IPs or CIDR ranges to match. // The IPs or CIDR ranges to match.
Ranges []string `json:"ranges,omitempty"` Ranges []string `json:"ranges,omitempty"`
// If true, prefer the first IP in the request's X-Forwarded-For
// header, if present, rather than the immediate peer's IP, as
// the reference IP against which to match. Note that it is easy
// to spoof request headers. Default: false
// DEPRECATED: This is insecure, MatchClientIP should be used instead.
Forwarded bool `json:"forwarded,omitempty"`
// cidrs and zones vars should aligned always in the same // cidrs and zones vars should aligned always in the same
// length and indexes for matching later // length and indexes for matching later
cidrs []*netip.Prefix cidrs []*netip.Prefix
@ -82,11 +75,7 @@ func (m *MatchRemoteIP) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
d.Next() // consume matcher name d.Next() // consume matcher name
for d.NextArg() { for d.NextArg() {
if d.Val() == "forwarded" { if d.Val() == "forwarded" {
if len(m.Ranges) > 0 { return d.Err("the 'forwarded' option is no longer supported; use the 'client_ip' matcher instead")
return d.Err("if used, 'forwarded' must be first argument")
}
m.Forwarded = true
continue
} }
if d.Val() == "private_ranges" { if d.Val() == "private_ranges" {
m.Ranges = append(m.Ranges, PrivateRangesCIDR()...) m.Ranges = append(m.Ranges, PrivateRangesCIDR()...)
@ -105,7 +94,7 @@ func (m *MatchRemoteIP) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
// //
// Example: // Example:
// //
// expression remote_ip('forwarded', '192.168.0.0/16', '172.16.0.0/12', '10.0.0.0/8') // expression remote_ip('192.168.0.0/16', '172.16.0.0/12', '10.0.0.0/8')
func (MatchRemoteIP) CELLibrary(ctx caddy.Context) (cel.Library, error) { func (MatchRemoteIP) CELLibrary(ctx caddy.Context) (cel.Library, error) {
return CELMatcherImpl( return CELMatcherImpl(
// name of the macro, this is the function name that users see when writing expressions. // name of the macro, this is the function name that users see when writing expressions.
@ -126,11 +115,7 @@ func (MatchRemoteIP) CELLibrary(ctx caddy.Context) (cel.Library, error) {
for _, input := range strList.([]string) { for _, input := range strList.([]string) {
if input == "forwarded" { if input == "forwarded" {
if len(m.Ranges) > 0 { return nil, errors.New("the 'forwarded' option is no longer supported; use the 'client_ip' matcher instead")
return nil, errors.New("if used, 'forwarded' must be first argument")
}
m.Forwarded = true
continue
} }
m.Ranges = append(m.Ranges, input) m.Ranges = append(m.Ranges, input)
} }
@ -151,21 +136,12 @@ func (m *MatchRemoteIP) Provision(ctx caddy.Context) error {
m.cidrs = cidrs m.cidrs = cidrs
m.zones = zones m.zones = zones
if m.Forwarded {
m.logger.Warn("remote_ip's forwarded mode is deprecated; use the 'client_ip' matcher instead")
}
return nil return nil
} }
// Match returns true if r matches m. // Match returns true if r matches m.
func (m MatchRemoteIP) Match(r *http.Request) bool { func (m MatchRemoteIP) Match(r *http.Request) bool {
address := r.RemoteAddr address := r.RemoteAddr
if m.Forwarded {
if fwdFor := r.Header.Get("X-Forwarded-For"); fwdFor != "" {
address = strings.TrimSpace(strings.Split(fwdFor, ",")[0])
}
}
clientIP, zoneID, err := parseIPZoneFromString(address) clientIP, zoneID, err := parseIPZoneFromString(address)
if err != nil { if err != nil {
m.logger.Error("getting remote IP", zap.Error(err)) m.logger.Error("getting remote IP", zap.Error(err))