feat(security): add trusted proxies and abuse event cleanup
All checks were successful
Build and Publish Docker Image / deploy (push) Successful in 1m38s
All checks were successful
Build and Publish Docker Image / deploy (push) Successful in 1m38s
- Add `WARPBOX_TRUSTED_PROXIES` configuration to restrict accepted forwarded client IP headers to specific proxy IPs/CIDRs, securing client IP resolution. - Integrate `BanService` into the background cleanup job to automatically purge expired abuse and ban evidence events. - Update documentation with reverse proxy security guidelines and a production systemd deployment guide.
This commit is contained in:
29
backend/libs/services/proxy_test.go
Normal file
29
backend/libs/services/proxy_test.go
Normal file
@@ -0,0 +1,29 @@
|
||||
package services
|
||||
|
||||
import "testing"
|
||||
|
||||
func TestClientIPTrustsForwardedHeadersByDefault(t *testing.T) {
|
||||
ip := ClientIP("127.0.0.1:6070", "203.0.113.10, 10.0.0.2", "198.51.100.2", nil)
|
||||
if ip != "203.0.113.10" {
|
||||
t.Fatalf("ClientIP = %q, want forwarded IP", ip)
|
||||
}
|
||||
}
|
||||
|
||||
func TestClientIPUsesTrustedProxyCIDRs(t *testing.T) {
|
||||
trusted := []string{"127.0.0.1", "172.16.0.0/12"}
|
||||
ip := ClientIP("172.20.0.4:6070", "203.0.113.11", "", trusted)
|
||||
if ip != "203.0.113.11" {
|
||||
t.Fatalf("trusted ClientIP = %q", ip)
|
||||
}
|
||||
spoofed := ClientIP("198.51.100.20:6070", "203.0.113.12", "203.0.113.13", trusted)
|
||||
if spoofed != "198.51.100.20" {
|
||||
t.Fatalf("untrusted ClientIP = %q, want remote addr", spoofed)
|
||||
}
|
||||
}
|
||||
|
||||
func TestClientIPFallsBackToRealIP(t *testing.T) {
|
||||
ip := ClientIP("127.0.0.1:6070", "", "203.0.113.14", nil)
|
||||
if ip != "203.0.113.14" {
|
||||
t.Fatalf("ClientIP = %q, want real IP", ip)
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user