add trusted proxy for parsing client IPs (#115)

2025-12-09 19:58:10 -06:00 · 2021-07-26 16:15:36 +02:00 · 2021-07-26 16:15:36 +02:00 · e2757ae676
commit e2757ae676
parent 651f12cdfb
7 changed files with 339 additions and 13 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -51,6 +51,7 @@ type Config struct {
 	AccountDomain     string             `yaml:"accountDomain"`
 	Protocol          string             `yaml:"protocol"`
 	Port              int                `yaml:"port"`
+	TrustedProxies    []string           `yaml:"trustedProxies"`
 	DBConfig          *DBConfig          `yaml:"db"`
 	TemplateConfig    *TemplateConfig    `yaml:"template"`
 	AccountsConfig    *AccountsConfig    `yaml:"accounts"`
@ -155,6 +156,10 @@ func (c *Config) ParseCLIFlags(f KeyedFlags, version string) error {
 		c.Port = f.Int(fn.Port)
 	}

+	if len(c.TrustedProxies) == 0 || f.IsSet(fn.TrustedProxies) {
+		c.TrustedProxies = f.StringSlice(fn.TrustedProxies)
+	}
+
 	// db flags
 	if c.DBConfig.Type == "" || f.IsSet(fn.DbType) {
 		c.DBConfig.Type = f.String(fn.DbType)
@ -339,6 +344,7 @@ type Flags struct {
 	AccountDomain   string
 	Protocol        string
 	Port            string
+	TrustedProxies  string

 	DbType      string
 	DbAddress   string
@ -396,6 +402,7 @@ type Defaults struct {
 	AccountDomain   string
 	Protocol        string
 	Port            int
+	TrustedProxies  []string
 	SoftwareVersion string

 	DbType      string
@ -456,6 +463,7 @@ func GetFlagNames() Flags {
 		AccountDomain:   "account-domain",
 		Protocol:        "protocol",
 		Port:            "port",
+		TrustedProxies:  "trusted-proxies",

 		DbType:      "db-type",
 		DbAddress:   "db-address",
@ -516,6 +524,7 @@ func GetEnvNames() Flags {
 		AccountDomain:   "GTS_ACCOUNT_DOMAIN",
 		Protocol:        "GTS_PROTOCOL",
 		Port:            "GTS_PORT",
+		TrustedProxies:  "GTS_TRUSTED_PROXIES",

 		DbType:      "GTS_DB_TYPE",
 		DbAddress:   "GTS_DB_ADDRESS",
--- a/internal/config/default.go
+++ b/internal/config/default.go
@ -11,6 +11,7 @@ func TestDefault() *Config {
 		Host:            defaults.Host,
 		Protocol:        defaults.Protocol,
 		Port:            defaults.Port,
+		TrustedProxies:  defaults.TrustedProxies,
 		SoftwareVersion: defaults.SoftwareVersion,
 		DBConfig: &DBConfig{
 			Type:            defaults.DbType,
@ -77,6 +78,7 @@ func Default() *Config {
 		Host:            defaults.Host,
 		Protocol:        defaults.Protocol,
 		Port:            defaults.Port,
+		TrustedProxies:  defaults.TrustedProxies,
 		SoftwareVersion: defaults.SoftwareVersion,
 		DBConfig: &DBConfig{
 			Type:            defaults.DbType,
@ -145,6 +147,7 @@ func GetDefaults() Defaults {
 		AccountDomain:   "",
 		Protocol:        "https",
 		Port:            8080,
+		TrustedProxies:  []string{"127.0.0.1/32"}, // localhost

 		DbType:      "postgres",
 		DbAddress:   "localhost",
@ -204,6 +207,7 @@ func GetTestDefaults() Defaults {
 		AccountDomain:   "",
 		Protocol:        "http",
 		Port:            8080,
+		TrustedProxies:  []string{"127.0.0.1/32"},

 		DbType:     "postgres",
 		DbAddress:  "localhost",
--- a/internal/router/router.go
+++ b/internal/router/router.go
@ -122,6 +122,11 @@ func New(cfg *config.Config, db db.DB, logger *logrus.Logger) (Router, error) {
 	engine := gin.Default()
 	engine.MaxMultipartMemory = 8 << 20 // 8 MiB

+	// set up IP forwarding via x-forward-* headers.
+	if err := engine.SetTrustedProxies(cfg.TrustedProxies); err != nil {
+		return nil, err
+	}
+
 	// enable cors on the engine
 	if err := useCors(cfg, engine); err != nil {
 		return nil, err