aboutsummaryrefslogtreecommitdiffhomepage
path: root/caddyconfig/httpcaddyfile/serveroptions.go
diff options
context:
space:
mode:
authorNebez Briefkani <[email protected]>2024-01-13 12:46:37 -0800
committerGitHub <[email protected]>2024-01-13 20:46:37 +0000
commitcc0c0cf03e3ebdd1377aaa0b8ad6c0b39e880955 (patch)
tree15a919cdcd54d2e90ed28ef955a28f85404e5334 /caddyconfig/httpcaddyfile/serveroptions.go
parent80acf1bf23890697a12e25f84ae2c6520633da6f (diff)
downloadcaddy-cc0c0cf03e3ebdd1377aaa0b8ad6c0b39e880955.tar.gz
caddy-cc0c0cf03e3ebdd1377aaa0b8ad6c0b39e880955.zip
caddyhttp: Security enhancements for client IP parsing (#5805)
Co-authored-by: Francis Lavoie <[email protected]>
Diffstat (limited to 'caddyconfig/httpcaddyfile/serveroptions.go')
-rw-r--r--caddyconfig/httpcaddyfile/serveroptions.go8
1 files changed, 8 insertions, 0 deletions
diff --git a/caddyconfig/httpcaddyfile/serveroptions.go b/caddyconfig/httpcaddyfile/serveroptions.go
index 6d7c6787f..c131a6417 100644
--- a/caddyconfig/httpcaddyfile/serveroptions.go
+++ b/caddyconfig/httpcaddyfile/serveroptions.go
@@ -46,6 +46,7 @@ type serverOptions struct {
Protocols []string
StrictSNIHost *bool
TrustedProxiesRaw json.RawMessage
+ TrustedProxiesStrict int
ClientIPHeaders []string
ShouldLogCredentials bool
Metrics *caddyhttp.Metrics
@@ -217,6 +218,12 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
)
serverOpts.TrustedProxiesRaw = jsonSource
+ case "trusted_proxies_strict":
+ if d.NextArg() {
+ return nil, d.ArgErr()
+ }
+ serverOpts.TrustedProxiesStrict = 1
+
case "client_ip_headers":
headers := d.RemainingArgs()
for _, header := range headers {
@@ -340,6 +347,7 @@ func applyServerOptions(
server.StrictSNIHost = opts.StrictSNIHost
server.TrustedProxiesRaw = opts.TrustedProxiesRaw
server.ClientIPHeaders = opts.ClientIPHeaders
+ server.TrustedProxiesStrict = opts.TrustedProxiesStrict
server.Metrics = opts.Metrics
if opts.ShouldLogCredentials {
if server.Logs == nil {