feat: bypass security for health checks and support HEAD downloads
All checks were successful
Build and Publish Docker Image / deploy (push) Successful in 2m30s
All checks were successful
Build and Publish Docker Image / deploy (push) Successful in 2m30s
- Allow the `/health` endpoint to bypass the security middleware, ensuring container health checks succeed even if the proxy IP is banned. - Add a test to verify health checks from banned IPs. - Register a HEAD route for file downloads. - Refactor admin alert status checks to use a new `isUnacknowledgedAlert` helper. - Update the security runbook documentation with clearer instructions and examples for trusted proxy configuration.
This commit is contained in:
@@ -32,6 +32,17 @@ func TestClientIPTrustedProxyChain(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestClientIPTrustedDockerBridgeProxy(t *testing.T) {
|
||||
app := &App{config: &config.Config{TrustedProxyCIDRs: "172.30.0.1/32"}}
|
||||
ctx, _ := gin.CreateTestContext(httptest.NewRecorder())
|
||||
ctx.Request = httptest.NewRequest(http.MethodGet, "/", nil)
|
||||
ctx.Request.RemoteAddr = "172.30.0.1:8080"
|
||||
ctx.Request.Header.Set("X-Forwarded-For", "198.51.100.55")
|
||||
if got := app.clientIP(ctx); got != "198.51.100.55" {
|
||||
t.Fatalf("expected forwarded client IP from trusted docker bridge, got %q", got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestClientIPSpoofedHeaderFromUntrustedRemote(t *testing.T) {
|
||||
app := &App{config: &config.Config{TrustedProxyCIDRs: "10.0.0.0/8"}}
|
||||
ctx, _ := gin.CreateTestContext(httptest.NewRecorder())
|
||||
|
||||
Reference in New Issue
Block a user