Don't accept any IP as a proxy by default
It's too easy to setup a reverse proxy which doesn't support the PROXY protocol, or lets the X-Forwarded-For header fields pass through. Disable this by default. To restore the previous behaviour, add `accept-proxy-ip localhost` to the config file.
This commit is contained in:
parent
24d8f2167b
commit
88d241fd1d
@ -55,7 +55,6 @@ func Defaults() *Server {
|
||||
Hostname: hostname,
|
||||
SQLDriver: "sqlite3",
|
||||
SQLSource: "soju.db",
|
||||
AcceptProxyIPs: loopbackIPs,
|
||||
}
|
||||
}
|
||||
|
||||
@ -100,6 +99,10 @@ func parse(cfg scfg.Block) (*Server, error) {
|
||||
case "accept-proxy-ip":
|
||||
srv.AcceptProxyIPs = nil
|
||||
for _, s := range d.Params {
|
||||
if s == "localhost" {
|
||||
srv.AcceptProxyIPs = append(srv.AcceptProxyIPs, loopbackIPs...)
|
||||
continue
|
||||
}
|
||||
_, n, err := net.ParseCIDR(s)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("directive %q: failed to parse CIDR: %v", d.Name, err)
|
||||
|
@ -114,8 +114,8 @@ The following directives are supported:
|
||||
*accept-proxy-ip* <cidr...>
|
||||
Allow the specified IPs to act as a proxy. Proxys have the ability to
|
||||
overwrite the remote and local connection addresses (via the X-Forwarded-\*
|
||||
HTTP header fields). By default, the loopback addresses 127.0.0.0/8 and
|
||||
::1/128 are accepted.
|
||||
HTTP header fields). The special name "localhost" accepts the loopback
|
||||
addresses 127.0.0.0/8 and ::1/128. By default, all IPs are rejected.
|
||||
|
||||
# IRC SERVICE
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user