Ability to use "X-Forwarded-For" as a source of IP for white list.

2018-03-23 17:40:04 +01:00 · 2018-03-23 17:40:04 +01:00 · d2766b1b4f
commit d2766b1b4f
parent 4802484729
50 changed files with 1496 additions and 599 deletions
--- a/configuration/configuration.go
+++ b/configuration/configuration.go
@ -182,12 +182,23 @@ func (gc *GlobalConfiguration) SetEffectiveConfiguration(configFile string) {
 		}
 	}

-	// ForwardedHeaders must be remove in the next breaking version
 	for entryPointName := range gc.EntryPoints {
 		entryPoint := gc.EntryPoints[entryPointName]
+		// ForwardedHeaders must be remove in the next breaking version
 		if entryPoint.ForwardedHeaders == nil {
 			entryPoint.ForwardedHeaders = &ForwardedHeaders{Insecure: true}
 		}
+
+		if len(entryPoint.WhitelistSourceRange) > 0 {
+			log.Warnf("Deprecated configuration found: %s. Please use %s.", "whiteListSourceRange", "whiteList.sourceRange")
+
+			if entryPoint.WhiteList == nil {
+				entryPoint.WhiteList = &types.WhiteList{
+					SourceRange: entryPoint.WhitelistSourceRange,
+				}
+				entryPoint.WhitelistSourceRange = nil
+			}
+		}
 	}

 	// Make sure LifeCycle isn't nil to spare nil checks elsewhere.
@ -378,18 +389,6 @@ type ForwardingTimeouts struct {
 	ResponseHeaderTimeout flaeg.Duration `description:"The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists" export:"true"`
 }

-// ProxyProtocol contains Proxy-Protocol configuration
-type ProxyProtocol struct {
-	Insecure   bool
-	TrustedIPs []string
-}
-
-// ForwardedHeaders Trust client forwarding headers
-type ForwardedHeaders struct {
-	Insecure   bool
-	TrustedIPs []string
-}
-
 // LifeCycle contains configurations relevant to the lifecycle (such as the
 // shutdown phase) of Traefik.
 type LifeCycle struct {
--- a/configuration/entrypoints.go
+++ b/configuration/entrypoints.go
@ -12,15 +12,28 @@ import (
 // EntryPoint holds an entry point configuration of the reverse proxy (ip, port, TLS...)
 type EntryPoint struct {
 	Address              string
-	TLS                  *tls.TLS        `export:"true"`
-	Redirect             *types.Redirect `export:"true"`
-	Auth                 *types.Auth     `export:"true"`
-	WhitelistSourceRange []string
+	TLS                  *tls.TLS          `export:"true"`
+	Redirect             *types.Redirect   `export:"true"`
+	Auth                 *types.Auth       `export:"true"`
+	WhitelistSourceRange []string          // Deprecated
+	WhiteList            *types.WhiteList  `export:"true"`
 	Compress             bool              `export:"true"`
 	ProxyProtocol        *ProxyProtocol    `export:"true"`
 	ForwardedHeaders     *ForwardedHeaders `export:"true"`
 }

+// ProxyProtocol contains Proxy-Protocol configuration
+type ProxyProtocol struct {
+	Insecure   bool `export:"true"`
+	TrustedIPs []string
+}
+
+// ForwardedHeaders Trust client forwarding headers
+type ForwardedHeaders struct {
+	Insecure   bool `export:"true"`
+	TrustedIPs []string
+}
+
 // EntryPoints holds entry points configuration of the reverse proxy (ip, port, TLS...)
 type EntryPoints map[string]*EntryPoint

@ -70,6 +83,7 @@ func (ep *EntryPoints) Set(value string) error {
 		Redirect:             makeEntryPointRedirect(result),
 		Compress:             compress,
 		WhitelistSourceRange: whiteListSourceRange,
+		WhiteList:            makeWhiteList(result),
 		ProxyProtocol:        makeEntryPointProxyProtocol(result),
 		ForwardedHeaders:     makeEntryPointForwardedHeaders(result),
 	}
@ -77,6 +91,17 @@ func (ep *EntryPoints) Set(value string) error {
 	return nil
 }

+func makeWhiteList(result map[string]string) *types.WhiteList {
+	var wl *types.WhiteList
+	if rawRange, ok := result["whitelist_sourcerange"]; ok {
+		wl = &types.WhiteList{
+			SourceRange:      strings.Split(rawRange, ","),
+			UseXForwardedFor: toBool(result, "whitelist_usexforwardedfor"),
+		}
+	}
+	return wl
+}
+
 func makeEntryPointAuth(result map[string]string) *types.Auth {
 	var basic *types.Basic
 	if v, ok := result["auth_basic_users"]; ok {
--- a/configuration/entrypoints_test.go
+++ b/configuration/entrypoints_test.go
@ -28,7 +28,6 @@ func Test_parseEntryPointsConfiguration(t *testing.T) {
 				"Redirect.Replacement:http://mydomain/$1 " +
 				"Redirect.Permanent:true " +
 				"Compress:true " +
-				"WhiteListSourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
 				"ProxyProtocol.TrustedIPs:192.168.0.1 " +
 				"ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24 " +
 				"Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0 " +
@ -40,7 +39,10 @@ func Test_parseEntryPointsConfiguration(t *testing.T) {
 				"Auth.Forward.TLS.CAOptional:true " +
 				"Auth.Forward.TLS.Cert:path/to/foo.cert " +
 				"Auth.Forward.TLS.Key:path/to/foo.key " +
-				"Auth.Forward.TLS.InsecureSkipVerify:true ",
+				"Auth.Forward.TLS.InsecureSkipVerify:true " +
+				"WhiteListSourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
+				"whiteList.sourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
+				"whiteList.useXForwardedFor:true ",
 			expectedResult: map[string]string{
 				"address":                             ":8000",
 				"auth_basic_users":                    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
@ -63,9 +65,11 @@ func Test_parseEntryPointsConfiguration(t *testing.T) {
 				"redirect_permanent":       "true",
 				"redirect_regex":           "http://localhost/(.*)",
 				"redirect_replacement":     "http://mydomain/$1",
-				"tls":                  "goo,gii",
-				"tls_acme":             "TLS",
-				"whitelistsourcerange": "10.42.0.0/16,152.89.1.33/32,afed:be44::/16",
+				"tls":                        "goo,gii",
+				"tls_acme":                   "TLS",
+				"whitelistsourcerange":       "10.42.0.0/16,152.89.1.33/32,afed:be44::/16",
+				"whitelist_sourcerange":      "10.42.0.0/16,152.89.1.33/32,afed:be44::/16",
+				"whitelist_usexforwardedfor": "true",
 			},
 		},
 		{
@ -175,7 +179,6 @@ func TestEntryPoints_Set(t *testing.T) {
 				"Redirect.Replacement:http://mydomain/$1 " +
 				"Redirect.Permanent:true " +
 				"Compress:true " +
-				"WhiteListSourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
 				"ProxyProtocol.TrustedIPs:192.168.0.1 " +
 				"ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24 " +
 				"Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0 " +
@ -187,7 +190,10 @@ func TestEntryPoints_Set(t *testing.T) {
 				"Auth.Forward.TLS.CAOptional:true " +
 				"Auth.Forward.TLS.Cert:path/to/foo.cert " +
 				"Auth.Forward.TLS.Key:path/to/foo.key " +
-				"Auth.Forward.TLS.InsecureSkipVerify:true ",
+				"Auth.Forward.TLS.InsecureSkipVerify:true " +
+				"WhiteListSourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
+				"whiteList.sourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
+				"whiteList.useXForwardedFor:true ",
 			expectedEntryPointName: "foo",
 			expectedEntryPoint: &EntryPoint{
 				Address: ":8000",
@ -240,6 +246,14 @@ func TestEntryPoints_Set(t *testing.T) {
 					"152.89.1.33/32",
 					"afed:be44::/16",
 				},
+				WhiteList: &types.WhiteList{
+					SourceRange: []string{
+						"10.42.0.0/16",
+						"152.89.1.33/32",
+						"afed:be44::/16",
+					},
+					UseXForwardedFor: true,
+				},
 				Compress: true,
 				ProxyProtocol: &ProxyProtocol{
 					Insecure:   false,