habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

root: check remote IP for proxy protocol same as HTTP/etc (#12094)

Browse Source 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L.
2024-11-20 21:33:35 +01:00
committed by GitHub
parent 14867e3fdd
commit d4bf3b7068
6 changed files with 41 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
internal/outpost/ldap/ldap.go
View File

@ -65,7 +65,7 @@ func (ls *LDAPServer) StartLDAPServer() error {
ls.log.WithField("listen", listen).WithError(err).Warning("Failed to listen (SSL)")
return err
}
proxyListener := &proxyproto.Listener{Listener: ln}
proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
defer proxyListener.Close()
ls.log.WithField("listen", listen).Info("Starting LDAP server")

2
internal/outpost/ldap/ldap_tls.go
View File

@ -48,7 +48,7 @@ func (ls *LDAPServer) StartLDAPTLSServer() error {
return err
}
proxyListener := &proxyproto.Listener{Listener: ln}
proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
defer proxyListener.Close()
tln := tls.NewListener(proxyListener, tlsConfig)

4
internal/outpost/proxyv2/proxyv2.go
View File

@ -129,7 +129,7 @@ func (ps *ProxyServer) ServeHTTP() {
ps.log.WithField("listen", listenAddress).WithError(err).Warning("Failed to listen")
return
}
proxyListener := &proxyproto.Listener{Listener: listener}
proxyListener := &proxyproto.Listener{Listener: listener, ConnPolicy: utils.GetProxyConnectionPolicy()}
defer proxyListener.Close()
ps.log.WithField("listen", listenAddress).Info("Starting HTTP server")
@ -148,7 +148,7 @@ func (ps *ProxyServer) ServeHTTPS() {
ps.log.WithError(err).Warning("Failed to listen (TLS)")
return
}
proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}}
proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}, ConnPolicy: utils.GetProxyConnectionPolicy()}
defer proxyListener.Close()
tlsListener := tls.NewListener(proxyListener, tlsConfig)

34
internal/utils/proxy.go Normal file
View File

@ -0,0 +1,34 @@
package utils
import (
"net"
"github.com/pires/go-proxyproto"
log "github.com/sirupsen/logrus"
"goauthentik.io/internal/config"
)
func GetProxyConnectionPolicy() proxyproto.ConnPolicyFunc {
nets := []*net.IPNet{}
for _, rn := range config.Get().Listen.TrustedProxyCIDRs {
_, cidr, err := net.ParseCIDR(rn)
if err != nil {
continue
}
nets = append(nets, cidr)
}
return func(connPolicyOptions proxyproto.ConnPolicyOptions) (proxyproto.Policy, error) {
host, _, err := net.SplitHostPort(connPolicyOptions.Upstream.String())
if err == nil {
// remoteAddr will be nil if the IP cannot be parsed
remoteAddr := net.ParseIP(host)
for _, allowedCidr := range nets {
if remoteAddr != nil && allowedCidr.Contains(remoteAddr) {
log.WithField("remoteAddr", remoteAddr).WithField("cidr", allowedCidr.String()).Trace("Using remote IP from proxy protocol")
return proxyproto.USE, nil
}
}
}
return proxyproto.SKIP, nil
}
}

3
internal/web/web.go
View File

@ -19,6 +19,7 @@ import (
"goauthentik.io/internal/config"
"goauthentik.io/internal/gounicorn"
"goauthentik.io/internal/outpost/proxyv2"
"goauthentik.io/internal/utils"
"goauthentik.io/internal/utils/web"
"goauthentik.io/internal/web/brand_tls"
)
@ -149,7 +150,7 @@ func (ws *WebServer) listenPlain() {
ws.log.WithError(err).Warning("failed to listen")
return
}
proxyListener := &proxyproto.Listener{Listener: ln}
proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
defer proxyListener.Close()
ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Starting HTTP server")

2
internal/web/tls.go → internal/web/web_tls.go
View File

@ -45,7 +45,7 @@ func (ws *WebServer) listenTLS() {
ws.log.WithError(err).Warning("failed to listen (TLS)")
return
}
proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}}
proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}, ConnPolicy: utils.GetProxyConnectionPolicy()}
defer proxyListener.Close()
tlsListener := tls.NewListener(proxyListener, tlsConfig)