homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Remove X-Forwarded-(Uri, Method, Tls-Client-Cert and Tls-Client-Cert-Info) from untrusted IP

Browse source
This commit is contained in:
stffabi 2019-07-08 17:56:04 +02:00 committed by Traefiker Bot
parent 0ee5d3d83f
commit cc4258bf9d
2 changed files with 87 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

24
pkg/middlewares/forwardedheaders/forwarded_header.go
View file

@ -10,14 +10,18 @@ import (
) )
const ( const (
xForwardedProto = "X-Forwarded-Proto" xForwardedProto = "X-Forwarded-Proto"
xForwardedFor = "X-Forwarded-For" xForwardedFor = "X-Forwarded-For"
xForwardedHost = "X-Forwarded-Host" xForwardedHost = "X-Forwarded-Host"
xForwardedPort = "X-Forwarded-Port" xForwardedPort = "X-Forwarded-Port"
xForwardedServer = "X-Forwarded-Server" xForwardedServer = "X-Forwarded-Server"
xRealIP = "X-Real-Ip" xForwardedURI = "X-Forwarded-Uri"
connection = "Connection" xForwardedMethod = "X-Forwarded-Method"
upgrade = "Upgrade" xForwardedTLSClientCert = "X-Forwarded-Tls-Client-Cert"
xForwardedTLSClientCertInfo = "X-Forwarded-Tls-Client-Cert-Info"
xRealIP = "X-Real-Ip"
connection = "Connection"
upgrade = "Upgrade"
) )
var xHeaders = []string{ var xHeaders = []string{
@ -26,6 +30,10 @@ var xHeaders = []string{
xForwardedHost, xForwardedHost,
xForwardedPort, xForwardedPort,
xForwardedServer, xForwardedServer,
xForwardedURI,
xForwardedMethod,
xForwardedTLSClientCert,
xForwardedTLSClientCertInfo,
xRealIP, xRealIP,
} }

90
pkg/middlewares/forwardedheaders/forwarded_header_test.go
View file

@ -28,79 +28,131 @@ func TestServeHTTP(t *testing.T) {
remoteAddr: "", remoteAddr: "",
incomingHeaders: map[string]string{}, incomingHeaders: map[string]string{},
expectedHeaders: map[string]string{ expectedHeaders: map[string]string{
"X-Forwarded-for": "", "X-Forwarded-for": "",
"X-Forwarded-Uri": "",
"X-Forwarded-Method": "",
"X-Forwarded-Tls-Client-Cert": "",
"X-Forwarded-Tls-Client-Cert-Info": "",
}, },
}, },
{ {
desc: "insecure true with incoming X-Forwarded-For", desc: "insecure true with incoming X-Forwarded headers",
insecure: true, insecure: true,
trustedIps: nil, trustedIps: nil,
remoteAddr: "", remoteAddr: "",
incomingHeaders: map[string]string{ incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12", "X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-Uri": "/bar",
"X-Forwarded-Method": "GET",
"X-Forwarded-Tls-Client-Cert": "Cert",
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
}, },
expectedHeaders: map[string]string{ expectedHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12", "X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-Uri": "/bar",
"X-Forwarded-Method": "GET",
"X-Forwarded-Tls-Client-Cert": "Cert",
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
}, },
}, },
{ {
desc: "insecure false with incoming X-Forwarded-For", desc: "insecure false with incoming X-Forwarded headers",
insecure: false, insecure: false,
trustedIps: nil, trustedIps: nil,
remoteAddr: "", remoteAddr: "",
incomingHeaders: map[string]string{ incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12", "X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-Uri": "/bar",
"X-Forwarded-Method": "GET",
"X-Forwarded-Tls-Client-Cert": "Cert",
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
}, },
expectedHeaders: map[string]string{ expectedHeaders: map[string]string{
"X-Forwarded-for": "", "X-Forwarded-for": "",
"X-Forwarded-Uri": "",
"X-Forwarded-Method": "",
"X-Forwarded-Tls-Client-Cert": "",
"X-Forwarded-Tls-Client-Cert-Info": "",
}, },
}, },
{ {
desc: "insecure false with incoming X-Forwarded-For and valid Trusted Ips", desc: "insecure false with incoming X-Forwarded headers and valid Trusted Ips",
insecure: false, insecure: false,
trustedIps: []string{"10.0.1.100"}, trustedIps: []string{"10.0.1.100"},
remoteAddr: "10.0.1.100:80", remoteAddr: "10.0.1.100:80",
incomingHeaders: map[string]string{ incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12", "X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-Uri": "/bar",
"X-Forwarded-Method": "GET",
"X-Forwarded-Tls-Client-Cert": "Cert",
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
}, },
expectedHeaders: map[string]string{ expectedHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12", "X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-Uri": "/bar",
"X-Forwarded-Method": "GET",
"X-Forwarded-Tls-Client-Cert": "Cert",
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
}, },
}, },
{ {
desc: "insecure false with incoming X-Forwarded-For and invalid Trusted Ips", desc: "insecure false with incoming X-Forwarded headers and invalid Trusted Ips",
insecure: false, insecure: false,
trustedIps: []string{"10.0.1.100"}, trustedIps: []string{"10.0.1.100"},
remoteAddr: "10.0.1.101:80", remoteAddr: "10.0.1.101:80",
incomingHeaders: map[string]string{ incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12", "X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-Uri": "/bar",
"X-Forwarded-Method": "GET",
"X-Forwarded-Tls-Client-Cert": "Cert",
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
}, },
expectedHeaders: map[string]string{ expectedHeaders: map[string]string{
"X-Forwarded-for": "", "X-Forwarded-for": "",
"X-Forwarded-Uri": "",
"X-Forwarded-Method": "",
"X-Forwarded-Tls-Client-Cert": "",
"X-Forwarded-Tls-Client-Cert-Info": "",
}, },
}, },
{ {
desc: "insecure false with incoming X-Forwarded-For and valid Trusted Ips CIDR", desc: "insecure false with incoming X-Forwarded headers and valid Trusted Ips CIDR",
insecure: false, insecure: false,
trustedIps: []string{"1.2.3.4/24"}, trustedIps: []string{"1.2.3.4/24"},
remoteAddr: "1.2.3.156:80", remoteAddr: "1.2.3.156:80",
incomingHeaders: map[string]string{ incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12", "X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-Uri": "/bar",
"X-Forwarded-Method": "GET",
"X-Forwarded-Tls-Client-Cert": "Cert",
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
}, },
expectedHeaders: map[string]string{ expectedHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12", "X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-Uri": "/bar",
"X-Forwarded-Method": "GET",
"X-Forwarded-Tls-Client-Cert": "Cert",
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
}, },
}, },
{ {
desc: "insecure false with incoming X-Forwarded-For and invalid Trusted Ips CIDR", desc: "insecure false with incoming X-Forwarded headers and invalid Trusted Ips CIDR",
insecure: false, insecure: false,
trustedIps: []string{"1.2.3.4/24"}, trustedIps: []string{"1.2.3.4/24"},
remoteAddr: "10.0.1.101:80", remoteAddr: "10.0.1.101:80",
incomingHeaders: map[string]string{ incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12", "X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-Uri": "/bar",
"X-Forwarded-Method": "GET",
"X-Forwarded-Tls-Client-Cert": "Cert",
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
}, },
expectedHeaders: map[string]string{ expectedHeaders: map[string]string{
"X-Forwarded-for": "", "X-Forwarded-for": "",
"X-Forwarded-Uri": "",
"X-Forwarded-Method": "",
"X-Forwarded-Tls-Client-Cert": "",
"X-Forwarded-Tls-Client-Cert-Info": "",
}, },
}, },
{ {