Stop reading X-Forwarded-Port

X-Forwarded-Port contains the destination port, not the source port,
so it isn't useful for our purposes.

Move parsing of X-Forwarded-* header fields to parseForwarded.
This commit is contained in:
Simon Ser 2021-03-18 13:22:28 +01:00
parent 1b49fff763
commit 927ee80da1

View File

@ -212,17 +212,13 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, req *http.Request) {
} }
} }
// Only trust X-Forwarded-* header fields if this is a trusted proxy IP // Only trust the Forwarded header field if this is a trusted proxy IP
// to prevent users from spoofing the remote address // to prevent users from spoofing the remote address
remoteAddr := req.RemoteAddr remoteAddr := req.RemoteAddr
if isProxy { if isProxy {
forwarded := parseForwarded(req.Header) forwarded := parseForwarded(req.Header)
forwardedHost := req.Header.Get("X-Forwarded-For")
forwardedPort := req.Header.Get("X-Forwarded-Port")
if forwarded["for"] != "" { if forwarded["for"] != "" {
remoteAddr = forwarded["for"] remoteAddr = forwarded["for"]
} else if forwardedHost != "" && forwardedPort != "" {
remoteAddr = net.JoinHostPort(forwardedHost, forwardedPort)
} }
} }
@ -232,7 +228,11 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, req *http.Request) {
func parseForwarded(h http.Header) map[string]string { func parseForwarded(h http.Header) map[string]string {
forwarded := h.Get("Forwarded") forwarded := h.Get("Forwarded")
if forwarded == "" { if forwarded == "" {
return nil return map[string]string{
"for": h.Get("X-Forwarded-For"),
"proto": h.Get("X-Forwarded-Proto"),
"host": h.Get("X-Forwarded-Host"),
}
} }
// Hack to easily parse header parameters // Hack to easily parse header parameters
_, params, _ := mime.ParseMediaType("hack; " + forwarded) _, params, _ := mime.ParseMediaType("hack; " + forwarded)