diff options
| author | Nebez Briefkani <[email protected]> | 2024-01-13 12:46:37 -0800 |
|---|---|---|
| committer | GitHub <[email protected]> | 2024-01-13 20:46:37 +0000 |
| commit | cc0c0cf03e3ebdd1377aaa0b8ad6c0b39e880955 (patch) | |
| tree | 15a919cdcd54d2e90ed28ef955a28f85404e5334 /caddyconfig | |
| parent | 80acf1bf23890697a12e25f84ae2c6520633da6f (diff) | |
| download | caddy-cc0c0cf03e3ebdd1377aaa0b8ad6c0b39e880955.tar.gz caddy-cc0c0cf03e3ebdd1377aaa0b8ad6c0b39e880955.zip | |
caddyhttp: Security enhancements for client IP parsing (#5805)
Co-authored-by: Francis Lavoie <[email protected]>
Diffstat (limited to 'caddyconfig')
| -rw-r--r-- | caddyconfig/httpcaddyfile/serveroptions.go | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/caddyconfig/httpcaddyfile/serveroptions.go b/caddyconfig/httpcaddyfile/serveroptions.go index 6d7c6787f..c131a6417 100644 --- a/caddyconfig/httpcaddyfile/serveroptions.go +++ b/caddyconfig/httpcaddyfile/serveroptions.go @@ -46,6 +46,7 @@ type serverOptions struct { Protocols []string StrictSNIHost *bool TrustedProxiesRaw json.RawMessage + TrustedProxiesStrict int ClientIPHeaders []string ShouldLogCredentials bool Metrics *caddyhttp.Metrics @@ -217,6 +218,12 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) { ) serverOpts.TrustedProxiesRaw = jsonSource + case "trusted_proxies_strict": + if d.NextArg() { + return nil, d.ArgErr() + } + serverOpts.TrustedProxiesStrict = 1 + case "client_ip_headers": headers := d.RemainingArgs() for _, header := range headers { @@ -340,6 +347,7 @@ func applyServerOptions( server.StrictSNIHost = opts.StrictSNIHost server.TrustedProxiesRaw = opts.TrustedProxiesRaw server.ClientIPHeaders = opts.ClientIPHeaders + server.TrustedProxiesStrict = opts.TrustedProxiesStrict server.Metrics = opts.Metrics if opts.ShouldLogCredentials { if server.Logs == nil { |