mirror of
https://github.com/AdguardTeam/AdGuardHome.git
synced 2025-05-05 07:22:54 +03:00
Pull request 2166: 5829-trusted-ip
Updates #5829. Squashed commit of the following: commit 8a93b30d5bd1c40c30bd10cd3fc77c3a3a64cb71 Merge: 8e4429c4854f77c010Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Wed Mar 20 19:15:07 2024 +0300 Merge branch 'master' into 5829-trusted-ip commit 8e4429c483c0fd6fffdc93fa808adcca6678bc3e Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Wed Mar 20 18:37:26 2024 +0300 all: upd chlog commit b598a8d1ea239cc574bfdfdd6a2da47792582589 Merge: 1f58bf8fd054233962Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Wed Mar 20 18:34:13 2024 +0300 Merge branch 'master' into 5829-trusted-ip commit 1f58bf8fd1bc3b3790475651cb87494885cadf66 Merge: ffb4b9a65c64a36c94Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Wed Mar 20 17:09:09 2024 +0300 Merge branch 'master' into 5829-trusted-ip commit ffb4b9a65fea5555d0d401194d3fc3820b2e6766 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Thu Mar 14 17:40:07 2024 +0300 home: fix alignment commit 7f11807ff13eff286be1d3bd4b796273454bdbda Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Thu Mar 14 17:35:13 2024 +0300 all: imp code commit 2aee9a66c70af929e28653245eb73c0f29a46e97 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Mon Mar 11 18:17:58 2024 +0300 home: real ip in logs
This commit is contained in:
Stanislav Chzhen
parent
54f77c0101
commit
3b12ff2cc2
6 changed files with 72 additions and 50 deletions
internal/home
|
|
@ -4,8 +4,8 @@ import (
|
|||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/netip"
|
||||
"path"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
|
@ -78,7 +78,7 @@ func (a *Auth) newCookie(req loginJSON, addr string) (c *http.Cookie, err error)
|
|||
// a well-maintained third-party module.
|
||||
//
|
||||
// TODO(a.garipov): Support header Forwarded from RFC 7329.
|
||||
func realIP(r *http.Request) (ip net.IP, err error) {
|
||||
func realIP(r *http.Request) (ip netip.Addr, err error) {
|
||||
proxyHeaders := []string{
|
||||
httphdr.CFConnectingIP,
|
||||
httphdr.TrueClientIP,
|
||||
|
|
@ -87,8 +87,8 @@ func realIP(r *http.Request) (ip net.IP, err error) {
|
|||
|
||||
for _, h := range proxyHeaders {
|
||||
v := r.Header.Get(h)
|
||||
ip = net.ParseIP(v)
|
||||
if ip != nil {
|
||||
ip, err = netip.ParseAddr(v)
|
||||
if err == nil {
|
||||
return ip, nil
|
||||
}
|
||||
}
|
||||
|
|
@ -96,20 +96,20 @@ func realIP(r *http.Request) (ip net.IP, err error) {
|
|||
// If none of the above yielded any results, get the leftmost IP address
|
||||
// from the X-Forwarded-For header.
|
||||
s := r.Header.Get(httphdr.XForwardedFor)
|
||||
ipStrs := strings.SplitN(s, ", ", 2)
|
||||
ip = net.ParseIP(ipStrs[0])
|
||||
if ip != nil {
|
||||
ipStr, _, _ := strings.Cut(s, ",")
|
||||
ip, err = netip.ParseAddr(ipStr)
|
||||
if err == nil {
|
||||
return ip, nil
|
||||
}
|
||||
|
||||
// When everything else fails, just return the remote address as understood
|
||||
// by the stdlib.
|
||||
ipStr, err := netutil.SplitHost(r.RemoteAddr)
|
||||
ipStr, err = netutil.SplitHost(r.RemoteAddr)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("getting ip from client addr: %w", err)
|
||||
return netip.Addr{}, fmt.Errorf("getting ip from client addr: %w", err)
|
||||
}
|
||||
|
||||
return net.ParseIP(ipStr), nil
|
||||
return netip.ParseAddr(ipStr)
|
||||
}
|
||||
|
||||
// writeErrorWithIP is like [aghhttp.Error], but includes the remote IP address
|
||||
|
|
@ -142,8 +142,6 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
|
|||
// to security issues.
|
||||
//
|
||||
// See https://github.com/AdguardTeam/AdGuardHome/issues/2799.
|
||||
//
|
||||
// TODO(e.burkov): Use realIP when the issue will be fixed.
|
||||
if remoteIP, err = netutil.SplitHost(r.RemoteAddr); err != nil {
|
||||
writeErrorWithIP(
|
||||
r,
|
||||
|
|
@ -173,20 +171,24 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
}
|
||||
|
||||
cookie, err := Context.auth.newCookie(req, remoteIP)
|
||||
if err != nil {
|
||||
writeErrorWithIP(r, w, http.StatusForbidden, remoteIP, "%s", err)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// Use realIP here, since this IP address is only used for logging.
|
||||
ip, err := realIP(r)
|
||||
if err != nil {
|
||||
log.Error("auth: getting real ip from request with remote ip %s: %s", remoteIP, err)
|
||||
}
|
||||
|
||||
log.Info("auth: user %q successfully logged in from ip %v", req.Name, ip)
|
||||
cookie, err := Context.auth.newCookie(req, remoteIP)
|
||||
if err != nil {
|
||||
logIP := remoteIP
|
||||
if Context.auth.trustedProxies.Contains(ip.Unmap()) {
|
||||
logIP = ip.String()
|
||||
}
|
||||
|
||||
writeErrorWithIP(r, w, http.StatusForbidden, logIP, "%s", err)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
log.Info("auth: user %q successfully logged in from ip %s", req.Name, ip)
|
||||
|
||||
http.SetCookie(w, cookie)
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue