Add X-Real-IP support as well

author Vsevolod Stakhov <vsevolod@highsecure.ru>

Wed, 20 Jan 2016 14:37:47 +0000 (14:37 +0000)

committer Vsevolod Stakhov <vsevolod@highsecure.ru>

Wed, 20 Jan 2016 14:37:47 +0000 (14:37 +0000)
author Vsevolod Stakhov <vsevolod@highsecure.ru>
Wed, 20 Jan 2016 14:37:47 +0000 (14:37 +0000)
committer Vsevolod Stakhov <vsevolod@highsecure.ru>
Wed, 20 Jan 2016 14:37:47 +0000 (14:37 +0000)
diff --git a/src/controller.c b/src/controller.c

index ced9b9ca0b7b8170f5ab9c7b51bb99410d8d5017..29cd1b35103aa9ba99aaaef81b28bc92bdbd46cf 100644 (file)
--- a/src/controller.c
+++ b/src/controller.c
@@ -350,7 +350,7 @@ rspamd_controller_check_forwarded (struct rspamd_controller_session *session,
  {
         const rspamd_ftok_t *hdr;
         const gchar *comma;
-       const char *hdr_name = "X-Forwarded-For";
+       const char *hdr_name = "X-Forwarded-For", *alt_hdr_name = "X-Real-IP";
         char ip_buf[INET6_ADDRSTRLEN + 1];
         rspamd_inet_addr_t *addr = NULL;
         gint ret = 0;
@@ -387,6 +387,33 @@ rspamd_controller_check_forwarded (struct rspamd_controller_session *session,
                         }
                 }
         }
+       else {
+               /* Try also X-Real-IP */
+               hdr = rspamd_http_message_find_header (msg, alt_hdr_name);
+
+               if (hdr) {
+                       if (rspamd_parse_inet_address (&addr, hdr->begin, hdr->len)) {
+                               /* We have addr now, so check if it is still trusted */
+                               if (ctx->secure_map &&
+                                               radix_find_compressed_addr (ctx->secure_map,
+                                                               addr) != RADIX_NO_VALUE) {
+                                       /* rspamd_inet_address_to_string is not reentrant */
+                                       rspamd_strlcpy (ip_buf, rspamd_inet_address_to_string (addr),
+                                                       sizeof (ip_buf));
+                                       msg_info_session ("allow unauthorized proxied connection "
+                                                       "from a trusted IP %s via %s",
+                                                       ip_buf,
+                                                       rspamd_inet_address_to_string (session->from_addr));
+                                       ret = 1;
+                               }
+                               else {
+                                       ret = -1;
+                               }
+
+                               rspamd_inet_address_destroy (addr);
+                       }
+               }
+       }
  
         return ret;
  }
diff --git a/src/libstat/learn_cache/sqlite3_cache.c b/src/libstat/learn_cache/sqlite3_cache.c

index 7c5174fcf5ad151dcde3fd428631e91333a651ba..36048455af2312c1281ee654408e6d6dfb556e92 100644 (file)
--- a/src/libstat/learn_cache/sqlite3_cache.c
+++ b/src/libstat/learn_cache/sqlite3_cache.c
@@ -187,7 +187,7 @@ rspamd_stat_cache_sqlite3_check (struct rspamd_task *task,
         rspamd_token_t *tok;
         guchar *out;
         gchar *user = NULL;
-       guint i, j;
+       guint i;
         gint rc;
         gint64 flag;
author	Vsevolod Stakhov <vsevolod@highsecure.ru>
	Wed, 20 Jan 2016 14:37:47 +0000 (14:37 +0000)
committer	Vsevolod Stakhov <vsevolod@highsecure.ru>
	Wed, 20 Jan 2016 14:37:47 +0000 (14:37 +0000)
src/controller.c		patch \| blob \| history
src/libstat/learn_cache/sqlite3_cache.c		patch \| blob \| history