You've already forked oauth2-proxy
mirror of
https://github.com/oauth2-proxy/oauth2-proxy.git
synced 2026-04-26 20:42:38 +02:00
H1net
a4d89036ec
* fix: handle Unix socket RemoteAddr in IP resolution When oauth2-proxy listens on a Unix socket, Go sets RemoteAddr to "@" instead of the usual "host:port" format. This caused net.SplitHostPort to fail on every request, flooding logs with errors: Error obtaining real IP for trusted IP list: unable to get ip and port from http.RemoteAddr (@) Fix by handling the "@" RemoteAddr at the source in getRemoteIP, returning nil without error since Unix sockets have no meaningful client IP. Also simplify the isTrustedIP guard and add a nil check in GetClientString to prevent calling String() on nil net.IP. Fixes #3373 Signed-off-by: h1net <ben@freshdevs.com> * docs: add changelog entry and Unix socket trusted IPs documentation Add changelog entry for #3374. Document that trusted IPs cannot match against RemoteAddr for Unix socket listeners since Go sets it to "@", and that IP-based trust still works via X-Forwarded-For with reverse-proxy. Signed-off-by: Ben Newbery <ben.newbery@gmail.com> Signed-off-by: h1net <ben@freshdevs.com> * doc: fix changelog entry for #3374 Signed-off-by: Jan Larwig <jan@larwig.com> * doc: add trusted ip a section to versioned docs as well Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: h1net <ben@freshdevs.com> Signed-off-by: Ben Newbery <ben.newbery@gmail.com> Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com>