You've already forked oauth2-proxy
mirror of
https://github.com/oauth2-proxy/oauth2-proxy.git
synced 2026-05-18 10:01:03 +02:00
H1net
a4d89036ec
* fix: handle Unix socket RemoteAddr in IP resolution When oauth2-proxy listens on a Unix socket, Go sets RemoteAddr to "@" instead of the usual "host:port" format. This caused net.SplitHostPort to fail on every request, flooding logs with errors: Error obtaining real IP for trusted IP list: unable to get ip and port from http.RemoteAddr (@) Fix by handling the "@" RemoteAddr at the source in getRemoteIP, returning nil without error since Unix sockets have no meaningful client IP. Also simplify the isTrustedIP guard and add a nil check in GetClientString to prevent calling String() on nil net.IP. Fixes #3373 Signed-off-by: h1net <ben@freshdevs.com> * docs: add changelog entry and Unix socket trusted IPs documentation Add changelog entry for #3374. Document that trusted IPs cannot match against RemoteAddr for Unix socket listeners since Go sets it to "@", and that IP-based trust still works via X-Forwarded-For with reverse-proxy. Signed-off-by: Ben Newbery <ben.newbery@gmail.com> Signed-off-by: h1net <ben@freshdevs.com> * doc: fix changelog entry for #3374 Signed-off-by: Jan Larwig <jan@larwig.com> * doc: add trusted ip a section to versioned docs as well Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: h1net <ben@freshdevs.com> Signed-off-by: Ben Newbery <ben.newbery@gmail.com> Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com>
115 lines
3.8 KiB
Go
115 lines
3.8 KiB
Go
package ip
|
|
|
|
import (
|
|
"fmt"
|
|
"net"
|
|
"net/http"
|
|
"strings"
|
|
|
|
ipapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/ip"
|
|
)
|
|
|
|
func GetRealClientIPParser(headerKey string) (ipapi.RealClientIPParser, error) {
|
|
headerKey = http.CanonicalHeaderKey(headerKey)
|
|
|
|
switch headerKey {
|
|
case http.CanonicalHeaderKey("X-Forwarded-For"),
|
|
http.CanonicalHeaderKey("X-Real-IP"),
|
|
http.CanonicalHeaderKey("X-ProxyUser-IP"),
|
|
http.CanonicalHeaderKey("X-Envoy-External-Address"),
|
|
// Cloudflare specific Real-IP header
|
|
http.CanonicalHeaderKey("CF-Connecting-IP"):
|
|
return &xForwardedForClientIPParser{header: headerKey}, nil
|
|
}
|
|
|
|
// TODO: implement the more standardized but more complex `Forwarded` header.
|
|
return nil, fmt.Errorf("the http header key (%s) is either invalid or unsupported", headerKey)
|
|
}
|
|
|
|
type xForwardedForClientIPParser struct {
|
|
header string
|
|
}
|
|
|
|
// GetRealClientIP obtain the IP address of the end-user (not proxy).
|
|
// Parses headers sharing the format as specified by:
|
|
// * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For.
|
|
// Returns the `<client>` portion specified in the above document.
|
|
// Additionally, is capable of parsing IPs with the port included, for v4 in the format "<ip>:<port>" and for v6 in the
|
|
// format "[<ip>]:<port>". With-port and without-port formats are seamlessly supported concurrently.
|
|
func (p xForwardedForClientIPParser) GetRealClientIP(h http.Header) (net.IP, error) {
|
|
var ipStr string
|
|
if realIP := h.Get(p.header); realIP != "" {
|
|
ipStr = realIP
|
|
} else {
|
|
return nil, nil
|
|
}
|
|
|
|
// Each successive proxy may append itself, comma separated, to the end of the X-Forwarded-for header.
|
|
// Select only the first IP listed, as it is the client IP recorded by the first proxy.
|
|
if commaIndex := strings.IndexRune(ipStr, ','); commaIndex != -1 {
|
|
ipStr = ipStr[:commaIndex]
|
|
}
|
|
ipStr = strings.TrimSpace(ipStr)
|
|
|
|
if ipHost, _, err := net.SplitHostPort(ipStr); err == nil {
|
|
ipStr = ipHost
|
|
}
|
|
|
|
ip := net.ParseIP(ipStr)
|
|
if ip == nil {
|
|
return nil, fmt.Errorf("unable to parse ip (%s) from %s header", ipStr, http.CanonicalHeaderKey(p.header))
|
|
}
|
|
|
|
return ip, nil
|
|
}
|
|
|
|
// GetClientIP obtains the perceived end-user IP address from headers if p != nil else from req.RemoteAddr.
|
|
func GetClientIP(p ipapi.RealClientIPParser, req *http.Request) (net.IP, error) {
|
|
if p != nil {
|
|
return p.GetRealClientIP(req.Header)
|
|
}
|
|
return getRemoteIP(req)
|
|
}
|
|
|
|
// getRemoteIP obtains the IP of the low-level connected network host
|
|
func getRemoteIP(req *http.Request) (net.IP, error) {
|
|
// Unix domain sockets set RemoteAddr to "@" which has no meaningful IP.
|
|
// https://github.com/golang/go/blob/0fa53e41f122b1661d0678a6d36d71b7b5ad031d/src/syscall/syscall_linux.go#L506-L511
|
|
if req.RemoteAddr == "@" {
|
|
return nil, nil
|
|
}
|
|
|
|
//revive:disable:indent-error-flow
|
|
if ipStr, _, err := net.SplitHostPort(req.RemoteAddr); err != nil {
|
|
return nil, fmt.Errorf("unable to get ip and port from http.RemoteAddr (%s)", req.RemoteAddr)
|
|
} else if ip := net.ParseIP(ipStr); ip != nil {
|
|
return ip, nil
|
|
} else {
|
|
return nil, fmt.Errorf("unable to parse ip (%s)", ipStr)
|
|
}
|
|
//revive:enable:indent-error-flow
|
|
}
|
|
|
|
// GetClientString obtains the human readable string of the remote IP and optionally the real client IP if available
|
|
func GetClientString(p ipapi.RealClientIPParser, req *http.Request, full bool) (s string) {
|
|
var realClientIPStr string
|
|
if p != nil {
|
|
if realClientIP, err := p.GetRealClientIP(req.Header); err == nil && realClientIP != nil {
|
|
realClientIPStr = realClientIP.String()
|
|
}
|
|
}
|
|
|
|
var remoteIPStr string
|
|
if remoteIP, err := getRemoteIP(req); err == nil && remoteIP != nil {
|
|
remoteIPStr = remoteIP.String()
|
|
}
|
|
|
|
if !full && realClientIPStr != "" {
|
|
return realClientIPStr
|
|
}
|
|
if full && realClientIPStr != "" {
|
|
return fmt.Sprintf("%s (%s)", remoteIPStr, realClientIPStr)
|
|
}
|
|
return remoteIPStr
|
|
}
|