aboutsummaryrefslogtreecommitdiffhomepage
path: root/modules/caddyhttp/app.go
diff options
context:
space:
mode:
authorFrancis Lavoie <[email protected]>2023-01-10 00:08:23 -0500
committerGitHub <[email protected]>2023-01-10 00:08:23 -0500
commit223cbe3d0b50487117c785f0755bb80a9ee65010 (patch)
treecf673da335e7470a50a7f1709464ec3f05e67291 /modules/caddyhttp/app.go
parent66ce0c5c635c4ff254ccb92123711534b6461b35 (diff)
downloadcaddy-223cbe3d0b50487117c785f0755bb80a9ee65010.tar.gz
caddy-223cbe3d0b50487117c785f0755bb80a9ee65010.zip
caddyhttp: Add server-level `trusted_proxies` config (#5103)
Diffstat (limited to 'modules/caddyhttp/app.go')
-rw-r--r--modules/caddyhttp/app.go20
1 files changed, 20 insertions, 0 deletions
diff --git a/modules/caddyhttp/app.go b/modules/caddyhttp/app.go
index 0943b32df..d790284c8 100644
--- a/modules/caddyhttp/app.go
+++ b/modules/caddyhttp/app.go
@@ -20,7 +20,9 @@ import (
"fmt"
"net"
"net/http"
+ "net/netip"
"strconv"
+ "strings"
"sync"
"time"
@@ -222,6 +224,24 @@ func (app *App) Provision(ctx caddy.Context) error {
srv.StrictSNIHost = &trueBool
}
+ // parse trusted proxy CIDRs ahead of time
+ for _, str := range srv.TrustedProxies {
+ if strings.Contains(str, "/") {
+ ipNet, err := netip.ParsePrefix(str)
+ if err != nil {
+ return fmt.Errorf("parsing CIDR expression: '%s': %v", str, err)
+ }
+ srv.trustedProxies = append(srv.trustedProxies, ipNet)
+ } else {
+ ipAddr, err := netip.ParseAddr(str)
+ if err != nil {
+ return fmt.Errorf("invalid IP address: '%s': %v", str, err)
+ }
+ ipNew := netip.PrefixFrom(ipAddr, ipAddr.BitLen())
+ srv.trustedProxies = append(srv.trustedProxies, ipNew)
+ }
+ }
+
// process each listener address
for i := range srv.Listen {
lnOut, err := repl.ReplaceOrErr(srv.Listen[i], true, true)
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-26 13:43:35 +0000