hydrar/mistserver
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Improved trustedproxy support

Browse source
This commit is contained in:
Thulinma 2020-02-19 12:27:17 +01:00
parent f43a1e5b99
commit 5c8aa1bfbd
5 changed files with 55 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
src/controller/controller.cpp
View file

@ -301,6 +301,7 @@ int main_loop(int argc, char **argv){
Controller::maxConnsPerIP = Controller::conf.getInteger("maxconnsperip"); Controller::maxConnsPerIP = Controller::conf.getInteger("maxconnsperip");
Controller::Storage["config"]["prometheus"] = Controller::conf.getString("prometheus"); Controller::Storage["config"]["prometheus"] = Controller::conf.getString("prometheus");
Controller::Storage["config"]["accesslog"] = Controller::conf.getString("accesslog"); Controller::Storage["config"]["accesslog"] = Controller::conf.getString("accesslog");
Controller::normalizeTrustedProxies(Controller::Storage["config"]["trustedproxy"]);
Controller::prometheus = Controller::Storage["config"]["prometheus"].asStringRef(); Controller::prometheus = Controller::Storage["config"]["prometheus"].asStringRef();
Controller::accesslog = Controller::Storage["config"]["accesslog"].asStringRef(); Controller::accesslog = Controller::Storage["config"]["accesslog"].asStringRef();
Controller::writeConfig(); Controller::writeConfig();

4
src/controller/controller_api.cpp
View file

@ -528,6 +528,10 @@ void Controller::handleAPICommands(JSON::Value & Request, JSON::Value & Response
out["protocols"] = in["protocols"]; out["protocols"] = in["protocols"];
removeDuplicateProtocols(); removeDuplicateProtocols();
} }
if (in.isMember("trustedproxy")){
out["trustedproxy"] = in["trustedproxy"];
Controller::normalizeTrustedProxies(out["trustedproxy"]);
}
if (in.isMember("controller")){ if (in.isMember("controller")){
out["controller"] = in["controller"]; out["controller"] = in["controller"];
} }

43
src/controller/controller_storage.cpp
View file

@ -101,6 +101,33 @@ namespace Controller{
} }
} }
void normalizeTrustedProxies(JSON::Value & tp){
//First normalize to arrays
if (!tp.isArray()){tp.append(tp.asString());}
//Now, wipe any empty entries, and convert spaces to array entries
std::set<std::string> n;
jsonForEach(tp, jit){
if (!jit->isString()){*jit = jit->asString();}
if (jit->asStringRef().find(' ') == std::string::npos){
n.insert(jit->asStringRef());
continue;
}
std::string tmp = jit->asStringRef();
while (tmp.find(' ') != std::string::npos){
size_t p = tmp.find(' ');
n.insert(tmp.substr(0, p));
tmp.erase(0, p+1);
}
if (tmp.size()){n.insert(tmp);}
}
n.erase("");
//Re-write the entire array, which is now normalized
tp.shrink(0);
for (std::set<std::string>::iterator it = n.begin(); it != n.end(); ++it){
tp.append(*it);
}
}
///\brief Write contents to Filename ///\brief Write contents to Filename
///\param Filename The full path of the file to write to. ///\param Filename The full path of the file to write to.
///\param contents The data to be written to the file. ///\param contents The data to be written to the file.
@ -239,8 +266,20 @@ namespace Controller{
void writeProtocols(){ void writeProtocols(){
static std::string proxy_written; static std::string proxy_written;
if (proxy_written != Storage["config"]["trustedproxy"].asStringRef()){ std::string tmpProxy;
proxy_written = Storage["config"]["trustedproxy"].asStringRef(); if (Storage["config"]["trustedproxy"].isArray()){
jsonForEachConst(Storage["config"]["trustedproxy"], jit){
if (tmpProxy.size()){
tmpProxy += " "+jit->asString();
}else{
tmpProxy = jit->asString();
}
}
}else{
tmpProxy = Storage["config"]["trustedproxy"].asString();
}
if (proxy_written != tmpProxy){
proxy_written = tmpProxy;
static IPC::sharedPage mistProxOut(SHM_PROXY, proxy_written.size()+100, true, false); static IPC::sharedPage mistProxOut(SHM_PROXY, proxy_written.size()+100, true, false);
mistProxOut.close(); mistProxOut.close();
mistProxOut.init(SHM_PROXY, proxy_written.size()+100, true, false); mistProxOut.init(SHM_PROXY, proxy_written.size()+100, true, false);

4
src/controller/controller_storage.h
View file

@ -25,6 +25,10 @@ namespace Controller {
void Log(const std::string & kind, const std::string & message, const std::string & stream = "", bool noWriteToLog = false); void Log(const std::string & kind, const std::string & message, const std::string & stream = "", bool noWriteToLog = false);
void logAccess(const std::string & sessId, const std::string & strm, const std::string & conn, const std::string & host, uint64_t duration, uint64_t up, uint64_t down, const std::string & tags); void logAccess(const std::string & sessId, const std::string & strm, const std::string & conn, const std::string & host, uint64_t duration, uint64_t up, uint64_t down, const std::string & tags);
void normalizeTrustedProxies(JSON::Value & tp);
/// Write contents to Filename. /// Write contents to Filename.
bool WriteFile(std::string Filename, std::string contents); bool WriteFile(std::string Filename, std::string contents);
void writeConfigToDisk(); void writeConfigToDisk();

11
src/output/output_http.cpp
View file

@ -448,8 +448,7 @@ namespace Mist {
bool HTTPOutput::isTrustedProxy(const std::string & ip){ bool HTTPOutput::isTrustedProxy(const std::string & ip){
static std::set<std::string> trustedProxies; static std::set<std::string> trustedProxies;
if (!trustedProxies.size()){ if (!trustedProxies.size()){
trustedProxies.insert("::1"); trustedProxies.insert("localhost");
trustedProxies.insert("127.0.0.1");
IPC::sharedPage rPage(SHM_PROXY, 0, false, false); IPC::sharedPage rPage(SHM_PROXY, 0, false, false);
if (rPage){ if (rPage){
@ -467,11 +466,11 @@ namespace Mist {
} }
} }
} }
//Make sure to also check for IPv6 addresses std::string binIp = Socket::getBinForms(ip);
if (ip.substr(0, 7) == "::ffff:" && trustedProxies.count(ip.substr(7))){ for (std::set<std::string>::iterator it = trustedProxies.begin(); it != trustedProxies.end(); ++it){
return true; if (Socket::isBinAddress(binIp, *it)){return true;}
} }
return trustedProxies.count(ip) > 0; return false;
} }
/*LTS-END*/ /*LTS-END*/