kato/warpbox-dev
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4eacb4cde20a37b30705c92135c9d7365e054f47
warpbox-dev/backend/libs/services/proxy.go
Daniel Legt 10ed806153
All checks were successful
Build and Publish Docker Image / deploy (push) Successful in 1m38s
Details
feat(security): add trusted proxies and abuse event cleanup 
- Add `WARPBOX_TRUSTED_PROXIES` configuration to restrict accepted forwarded client IP headers to specific proxy IPs/CIDRs, securing client IP resolution.
- Integrate `BanService` into the background cleanup job to automatically purge expired abuse and ban evidence events.
- Update documentation with reverse proxy security guidelines and a production systemd deployment guide.
2026-05-31 21:52:56 +03:00

76 lines
1.8 KiB
Go
Raw Blame History

package services
import (
"context"
"net"
"net/http"
"strings"
)
type clientIPContextKey struct{}
func WithClientIP(r *http.Request, ip string) *http.Request {
return r.WithContext(context.WithValue(r.Context(), clientIPContextKey{}, ip))
}
func ClientIPFromContext(r *http.Request) (string, bool) {
ip, ok := r.Context().Value(clientIPContextKey{}).(string)
return ip, ok && ip != ""
}
// ClientIP resolves the effective client IP. When trustedProxies is empty,
// forwarded headers are trusted for easy reverse-proxy/container defaults.
func ClientIP(remoteAddr, forwardedFor, realIP string, trustedProxies []string) string {
remoteIP := remoteIPOnly(remoteAddr)
if len(trustedProxies) == 0 || remoteTrusted(remoteIP, trustedProxies) {
if ip := firstForwardedIP(forwardedFor); ip != "" {
return ip
}
if ip := strings.TrimSpace(realIP); ip != "" {
return ip
}
}
return remoteIP
}
func remoteIPOnly(remoteAddr string) string {
host := strings.TrimSpace(remoteAddr)
if splitHost, _, err := net.SplitHostPort(remoteAddr); err == nil {
host = splitHost
}
return strings.Trim(host, "[]")
}
func firstForwardedIP(forwardedFor string) string {
for _, part := range strings.Split(forwardedFor, ",") {
ip := strings.TrimSpace(part)
if ip != "" {
return strings.Trim(ip, "[]")
}
}
return ""
}
func remoteTrusted(remoteIP string, trustedProxies []string) bool {
parsed := net.ParseIP(remoteIP)
if parsed == nil {
return false
}
for _, trusted := range trustedProxies {
trusted = strings.TrimSpace(trusted)
if trusted == "" {
continue
}
if strings.Contains(trusted, "/") {
if _, network, err := net.ParseCIDR(trusted); err == nil && network.Contains(parsed) {
return true
}
continue
}
if ip := net.ParseIP(trusted); ip != nil && ip.Equal(parsed) {
return true
}
}
return false
}
Reference in New Issue View Git Blame Copy Permalink