mirror of
				https://github.com/caddyserver/caddy.git
				synced 2025-10-24 23:39:19 -04:00 
			
		
		
		
	matchers: Drop forwarded option from remote_ip matcher (#6085)
				
					
				
			This commit is contained in:
		
							parent
							
								
									bde46211e3
								
							
						
					
					
						commit
						8c2a72ad07
					
				| @ -373,22 +373,6 @@ eqp31wM9il1n+guTNyxJd+FzVAH+hCZE5K+tCgVDdVFUlDEHHbS/wqb2PSIoouLV | ||||
| 			urlTarget:  "https://example.com/foo", | ||||
| 			wantResult: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "remote_ip forwarded (MatchRemoteIP)", | ||||
| 			expression: &MatchExpression{ | ||||
| 				Expr: `remote_ip('forwarded', '192.0.2.1')`, | ||||
| 			}, | ||||
| 			urlTarget:  "https://example.com/foo", | ||||
| 			wantResult: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "remote_ip forwarded not first (MatchRemoteIP)", | ||||
| 			expression: &MatchExpression{ | ||||
| 				Expr: `remote_ip('192.0.2.1', 'forwarded')`, | ||||
| 			}, | ||||
| 			urlTarget: "https://example.com/foo", | ||||
| 			wantErr:   true, | ||||
| 		}, | ||||
| 	} | ||||
| ) | ||||
| 
 | ||||
|  | ||||
| @ -37,13 +37,6 @@ type MatchRemoteIP struct { | ||||
| 	// The IPs or CIDR ranges to match. | ||||
| 	Ranges []string `json:"ranges,omitempty"` | ||||
| 
 | ||||
| 	// If true, prefer the first IP in the request's X-Forwarded-For | ||||
| 	// header, if present, rather than the immediate peer's IP, as | ||||
| 	// the reference IP against which to match. Note that it is easy | ||||
| 	// to spoof request headers. Default: false | ||||
| 	// DEPRECATED: This is insecure, MatchClientIP should be used instead. | ||||
| 	Forwarded bool `json:"forwarded,omitempty"` | ||||
| 
 | ||||
| 	// cidrs and zones vars should aligned always in the same | ||||
| 	// length and indexes for matching later | ||||
| 	cidrs  []*netip.Prefix | ||||
| @ -82,11 +75,7 @@ func (m *MatchRemoteIP) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { | ||||
| 	d.Next() // consume matcher name | ||||
| 	for d.NextArg() { | ||||
| 		if d.Val() == "forwarded" { | ||||
| 			if len(m.Ranges) > 0 { | ||||
| 				return d.Err("if used, 'forwarded' must be first argument") | ||||
| 			} | ||||
| 			m.Forwarded = true | ||||
| 			continue | ||||
| 			return d.Err("the 'forwarded' option is no longer supported; use the 'client_ip' matcher instead") | ||||
| 		} | ||||
| 		if d.Val() == "private_ranges" { | ||||
| 			m.Ranges = append(m.Ranges, PrivateRangesCIDR()...) | ||||
| @ -105,7 +94,7 @@ func (m *MatchRemoteIP) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { | ||||
| // | ||||
| // Example: | ||||
| // | ||||
| //	expression remote_ip('forwarded', '192.168.0.0/16', '172.16.0.0/12', '10.0.0.0/8') | ||||
| //	expression remote_ip('192.168.0.0/16', '172.16.0.0/12', '10.0.0.0/8') | ||||
| func (MatchRemoteIP) CELLibrary(ctx caddy.Context) (cel.Library, error) { | ||||
| 	return CELMatcherImpl( | ||||
| 		// name of the macro, this is the function name that users see when writing expressions. | ||||
| @ -126,11 +115,7 @@ func (MatchRemoteIP) CELLibrary(ctx caddy.Context) (cel.Library, error) { | ||||
| 
 | ||||
| 			for _, input := range strList.([]string) { | ||||
| 				if input == "forwarded" { | ||||
| 					if len(m.Ranges) > 0 { | ||||
| 						return nil, errors.New("if used, 'forwarded' must be first argument") | ||||
| 					} | ||||
| 					m.Forwarded = true | ||||
| 					continue | ||||
| 					return nil, errors.New("the 'forwarded' option is no longer supported; use the 'client_ip' matcher instead") | ||||
| 				} | ||||
| 				m.Ranges = append(m.Ranges, input) | ||||
| 			} | ||||
| @ -151,21 +136,12 @@ func (m *MatchRemoteIP) Provision(ctx caddy.Context) error { | ||||
| 	m.cidrs = cidrs | ||||
| 	m.zones = zones | ||||
| 
 | ||||
| 	if m.Forwarded { | ||||
| 		m.logger.Warn("remote_ip's forwarded mode is deprecated; use the 'client_ip' matcher instead") | ||||
| 	} | ||||
| 
 | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| // Match returns true if r matches m. | ||||
| func (m MatchRemoteIP) Match(r *http.Request) bool { | ||||
| 	address := r.RemoteAddr | ||||
| 	if m.Forwarded { | ||||
| 		if fwdFor := r.Header.Get("X-Forwarded-For"); fwdFor != "" { | ||||
| 			address = strings.TrimSpace(strings.Split(fwdFor, ",")[0]) | ||||
| 		} | ||||
| 	} | ||||
| 	clientIP, zoneID, err := parseIPZoneFromString(address) | ||||
| 	if err != nil { | ||||
| 		m.logger.Error("getting remote IP", zap.Error(err)) | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user