Browse Source

Allow to use subnet notation in reverse proxy list

Closes #17475.
adaptive-webui-19844
Chocobo1 2 years ago
parent
commit
109c45bb95
No known key found for this signature in database
GPG Key ID: 210D9C873253A68C
  1. 29
      src/webui/webapplication.cpp
  2. 4
      src/webui/webapplication.h

29
src/webui/webapplication.cpp

@ -42,7 +42,6 @@
#include <QUrl> #include <QUrl>
#include "base/algorithm.h" #include "base/algorithm.h"
#include "base/global.h"
#include "base/http/httperror.h" #include "base/http/httperror.h"
#include "base/logger.h" #include "base/logger.h"
#include "base/preferences.h" #include "base/preferences.h"
@ -402,15 +401,29 @@ void WebApplication::configure()
m_isReverseProxySupportEnabled = pref->isWebUIReverseProxySupportEnabled(); m_isReverseProxySupportEnabled = pref->isWebUIReverseProxySupportEnabled();
if (m_isReverseProxySupportEnabled) if (m_isReverseProxySupportEnabled)
{ {
m_trustedReverseProxyList.clear();
const QStringList proxyList = pref->getWebUITrustedReverseProxiesList().split(u';', Qt::SkipEmptyParts); const QStringList proxyList = pref->getWebUITrustedReverseProxiesList().split(u';', Qt::SkipEmptyParts);
for (const QString &proxy : proxyList) m_trustedReverseProxyList.clear();
m_trustedReverseProxyList.reserve(proxyList.size());
for (QString proxy : proxyList)
{
if (!proxy.contains(u'/'))
{
const QAbstractSocket::NetworkLayerProtocol protocol = QHostAddress(proxy).protocol();
if (protocol == QAbstractSocket::IPv4Protocol)
{ {
QHostAddress ip; proxy.append(u"/32");
if (ip.setAddress(proxy)) }
m_trustedReverseProxyList.push_back(ip); else if (protocol == QAbstractSocket::IPv6Protocol)
{
proxy.append(u"/128");
}
}
const std::optional<Utils::Net::Subnet> subnet = Utils::Net::parseSubnet(proxy);
if (subnet)
m_trustedReverseProxyList.push_back(subnet.value());
} }
if (m_trustedReverseProxyList.isEmpty()) if (m_trustedReverseProxyList.isEmpty())
@ -728,7 +741,7 @@ QHostAddress WebApplication::resolveClientAddress() const
return m_env.clientAddress; return m_env.clientAddress;
// Only reverse proxy can overwrite client address // Only reverse proxy can overwrite client address
if (!m_trustedReverseProxyList.contains(m_env.clientAddress)) if (!Utils::Net::isIPInSubnets(m_env.clientAddress, m_trustedReverseProxyList))
return m_env.clientAddress; return m_env.clientAddress;
const QString forwardedFor = m_request.headers.value(Http::HEADER_X_FORWARDED_FOR); const QString forwardedFor = m_request.headers.value(Http::HEADER_X_FORWARDED_FOR);

4
src/webui/webapplication.h

@ -34,11 +34,13 @@
#include <QDateTime> #include <QDateTime>
#include <QElapsedTimer> #include <QElapsedTimer>
#include <QHash> #include <QHash>
#include <QHostAddress>
#include <QMap> #include <QMap>
#include <QObject> #include <QObject>
#include <QRegularExpression> #include <QRegularExpression>
#include <QSet> #include <QSet>
#include <QTranslator> #include <QTranslator>
#include <QVector>
#include "base/applicationcomponent.h" #include "base/applicationcomponent.h"
#include "base/global.h" #include "base/global.h"
@ -233,7 +235,7 @@ private:
// Reverse proxy // Reverse proxy
bool m_isReverseProxySupportEnabled; bool m_isReverseProxySupportEnabled;
QVector<QHostAddress> m_trustedReverseProxyList; QVector<Utils::Net::Subnet> m_trustedReverseProxyList;
QHostAddress m_clientAddress; QHostAddress m_clientAddress;
QVector<Http::Header> m_prebuiltHeaders; QVector<Http::Header> m_prebuiltHeaders;

Loading…
Cancel
Save