kato/warpbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: bypass security for health checks and support HEAD downloads
All checks were successful
Build and Publish Docker Image / deploy (push) Successful in 2m30s
Details

Browse Source 
- Allow the `/health` endpoint to bypass the security middleware, ensuring container health checks succeed even if the proxy IP is banned.
- Add a test to verify health checks from banned IPs.
- Register a HEAD route for file downloads.
- Refactor admin alert status checks to use a new `isUnacknowledgedAlert` helper.
- Update the security runbook documentation with clearer instructions and examples for trusted proxy configuration.
This commit is contained in:
Daniel Legt
2026-05-23 19:07:11 +03:00
parent a2c80ac105
commit f0dcdd50ca
10 changed files with 250 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
templates/admin/security.html
View File

@@ -141,10 +141,10 @@
<div class="security-panel-header"><strong>Security Runbook</strong><span>ops quick reference</span></div>
<div class="security-panel-body security-docs">
<h4>Reverse Proxy and Trusted CIDRs</h4>
<p>Set <code>WARPBOX_TRUSTED_PROXY_CIDRS</code> to the CIDRs of your proxy nodes only. WarpBox will trust forwarding headers only when the direct remote IP is in this list.</p>
<p>Set <code>WARPBOX_TRUSTED_PROXY_CIDRS</code> to the CIDRs of your proxy nodes only. Without this, all traffic can appear as the proxy or bridge IP, such as <code>172.30.0.1</code>.</p>
<pre>Caddyfile
:443 {
reverse_proxy 127.0.0.1:8080 {
reverse_proxy warpbox:8080 {
header_up X-Forwarded-For {http.request.remote.host}
header_up X-Real-IP {http.request.remote.host}
}