aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLauris BH <lauris@nix.lv>2021-03-16 00:27:28 +0200
committerGitHub <noreply@github.com>2021-03-16 00:27:28 +0200
commit044cd4d016196e8c7091eee90b7e6f230bba142f (patch)
tree35f060380813f99588966339c5ddf796a8b8c451
parent6e423d5573c20b78d6e21cb044e8f4d5de5b288a (diff)
downloadgitea-044cd4d016196e8c7091eee90b7e6f230bba142f.tar.gz
gitea-044cd4d016196e8c7091eee90b7e6f230bba142f.zip
Add reverse proxy configuration support for remote IP address (#14959)
* Add reverse proxy configuration support for remote IP address validation * Trust all IP addresses in containerized environments by default * Use single option to specify networks and proxy IP addresses. By default trust all loopback IPs Co-authored-by: techknowlogick <techknowlogick@gitea.io>
-rw-r--r--custom/conf/app.example.ini4
-rw-r--r--docker/root/etc/templates/app.ini2
-rw-r--r--docker/rootless/etc/templates/app.ini2
-rw-r--r--docs/content/doc/advanced/config-cheat-sheet.en-us.md3
-rw-r--r--go.mod1
-rw-r--r--go.sum4
-rw-r--r--modules/setting/setting.go10
-rw-r--r--routers/routes/web.go21
-rw-r--r--vendor/github.com/chi-middleware/proxy/.drone.yml42
-rw-r--r--vendor/github.com/chi-middleware/proxy/.gitignore2
-rw-r--r--vendor/github.com/chi-middleware/proxy/.golangci.yml9
-rw-r--r--vendor/github.com/chi-middleware/proxy/.revive.toml25
-rw-r--r--vendor/github.com/chi-middleware/proxy/LICENSE19
-rw-r--r--vendor/github.com/chi-middleware/proxy/Makefile59
-rw-r--r--vendor/github.com/chi-middleware/proxy/README.md46
-rw-r--r--vendor/github.com/chi-middleware/proxy/go.mod8
-rw-r--r--vendor/github.com/chi-middleware/proxy/go.sum14
-rw-r--r--vendor/github.com/chi-middleware/proxy/middleware.go77
-rw-r--r--vendor/github.com/chi-middleware/proxy/options.go115
-rw-r--r--vendor/modules.txt3
20 files changed, 464 insertions, 2 deletions
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 6edf09e8ae..fe4fec7e92 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -549,6 +549,10 @@ COOKIE_REMEMBER_NAME = gitea_incredible
; Reverse proxy authentication header name of user name
REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-EMAIL
+; Interpret X-Forwarded-For header or the X-Real-IP header and set this as the remote IP for the request
+REVERSE_PROXY_LIMIT = 1
+; List of IP addresses and networks seperated by comma of trusted proxy servers. Use `*` to trust all.
+REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128
; The minimum password length for new Users
MIN_PASSWORD_LENGTH = 6
; Set to true to allow users to import local server paths
diff --git a/docker/root/etc/templates/app.ini b/docker/root/etc/templates/app.ini
index c8a8cdc5f3..c5212a9358 100644
--- a/docker/root/etc/templates/app.ini
+++ b/docker/root/etc/templates/app.ini
@@ -53,6 +53,8 @@ ROOT_PATH = /data/gitea/log
[security]
INSTALL_LOCK = $INSTALL_LOCK
SECRET_KEY = $SECRET_KEY
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *
[service]
DISABLE_REGISTRATION = $DISABLE_REGISTRATION
diff --git a/docker/rootless/etc/templates/app.ini b/docker/rootless/etc/templates/app.ini
index 92755575b9..905b2adb33 100644
--- a/docker/rootless/etc/templates/app.ini
+++ b/docker/rootless/etc/templates/app.ini
@@ -49,6 +49,8 @@ ROOT_PATH = $GITEA_WORK_DIR/data/log
[security]
INSTALL_LOCK = $INSTALL_LOCK
SECRET_KEY = $SECRET_KEY
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *
[service]
DISABLE_REGISTRATION = $DISABLE_REGISTRATION
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
index c19f9fc717..e32112f025 100644
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -390,6 +390,9 @@ relation to port exhaustion.
authentication.
- `REVERSE_PROXY_AUTHENTICATION_EMAIL`: **X-WEBAUTH-EMAIL**: Header name for reverse proxy
authentication provided email.
+- `REVERSE_PROXY_LIMIT`: **1**: Interpret X-Forwarded-For header or the X-Real-IP header and set this as the remote IP for the request.
+ Number of trusted proxy count. Set to zero to not use these headers.
+- `REVERSE_PROXY_TRUSTED_PROXIES`: **127.0.0.0/8,::1/128**: List of IP addresses and networks separated by comma of trusted proxy servers. Use `*` to trust all.
- `DISABLE_GIT_HOOKS`: **true**: Set to `false` to enable users with git hook privilege to create custom git hooks.
WARNING: Custom git hooks can be used to perform arbitrary code execution on the host operating system.
This enables the users to access and modify this config file and the Gitea database and interrupt the Gitea service.
diff --git a/go.mod b/go.mod
index 9b425dde38..a4a5706ccf 100644
--- a/go.mod
+++ b/go.mod
@@ -22,6 +22,7 @@ require (
github.com/boombuler/barcode v1.0.1 // indirect
github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b // indirect
github.com/caddyserver/certmagic v0.12.0
+ github.com/chi-middleware/proxy v1.1.1
github.com/couchbase/go-couchbase v0.0.0-20210224140812-5740cd35f448 // indirect
github.com/couchbase/gomemcached v0.1.2 // indirect
github.com/couchbase/goutils v0.0.0-20210118111533-e33d3ffb5401 // indirect
diff --git a/go.sum b/go.sum
index bc79ddb69b..860d807f96 100644
--- a/go.sum
+++ b/go.sum
@@ -194,6 +194,8 @@ github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/chi-middleware/proxy v1.1.1 h1:4HaXUp8o2+bhHr1OhVy+VjN0+L7/07JDcn6v7YrTjrQ=
+github.com/chi-middleware/proxy v1.1.1/go.mod h1:jQwMEJct2tz9VmtCELxvnXoMfa+SOdikvbVJVHv/M+0=
github.com/chris-ramon/douceur v0.2.0 h1:IDMEdxlEUUBYBKE4z/mJnFyVXox+MjuEVDJNN27glkU=
github.com/chris-ramon/douceur v0.2.0/go.mod h1:wDW5xjJdeoMm1mRt4sD4c/LbF/mWdEpRXQKjTR8nIBE=
github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
@@ -318,6 +320,8 @@ github.com/go-asn1-ber/asn1-ber v1.5.3/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkPro
github.com/go-chi/chi v1.5.1/go.mod h1:REp24E+25iKvxgeTfHmdUoL5x15kBiDBlnIl5bCwe2k=
github.com/go-chi/chi v1.5.4 h1:QHdzF2szwjqVV4wmByUnTcsbIg7UGaQ0tPF2t5GcAIs=
github.com/go-chi/chi v1.5.4/go.mod h1:uaf8YgoFazUOkPBG7fxPftUylNumIev9awIWOENIuEg=
+github.com/go-chi/chi/v5 v5.0.1 h1:ALxjCrTf1aflOlkhMnCUP86MubbWFrzB3gkRPReLpTo=
+github.com/go-chi/chi/v5 v5.0.1/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
github.com/go-chi/cors v1.1.1 h1:eHuqxsIw89iXcWnWUN8R72JMibABJTN/4IOYI5WERvw=
github.com/go-chi/cors v1.1.1/go.mod h1:K2Yje0VW/SJzxiyMYu6iPQYa7hMjQX2i/F491VChg1I=
github.com/go-enry/go-enry/v2 v2.6.1 h1:ckFkMVj2NeHpaQDFDiSjanVjNy2IiuMNivhXDB4c5Q0=
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index 60e433b1a2..9d27a5d743 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -169,6 +169,8 @@ var (
CookieRememberName string
ReverseProxyAuthUser string
ReverseProxyAuthEmail string
+ ReverseProxyLimit int
+ ReverseProxyTrustedProxies []string
MinPasswordLength int
ImportLocalPaths bool
DisableGitHooks bool
@@ -819,8 +821,16 @@ func NewContext() {
LogInRememberDays = sec.Key("LOGIN_REMEMBER_DAYS").MustInt(7)
CookieUserName = sec.Key("COOKIE_USERNAME").MustString("gitea_awesome")
CookieRememberName = sec.Key("COOKIE_REMEMBER_NAME").MustString("gitea_incredible")
+
ReverseProxyAuthUser = sec.Key("REVERSE_PROXY_AUTHENTICATION_USER").MustString("X-WEBAUTH-USER")
ReverseProxyAuthEmail = sec.Key("REVERSE_PROXY_AUTHENTICATION_EMAIL").MustString("X-WEBAUTH-EMAIL")
+
+ ReverseProxyLimit = sec.Key("REVERSE_PROXY_LIMIT").MustInt(1)
+ ReverseProxyTrustedProxies = sec.Key("REVERSE_PROXY_TRUSTED_PROXIES").Strings(",")
+ if len(ReverseProxyTrustedProxies) == 0 {
+ ReverseProxyTrustedProxies = []string{"127.0.0.0/8", "::1/128"}
+ }
+
MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(6)
ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false)
DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(true)
diff --git a/routers/routes/web.go b/routers/routes/web.go
index 08faa274a5..166b4286a8 100644
--- a/routers/routes/web.go
+++ b/routers/routes/web.go
@@ -46,6 +46,7 @@ import (
"gitea.com/go-chi/captcha"
"gitea.com/go-chi/session"
"github.com/NYTimes/gziphandler"
+ "github.com/chi-middleware/proxy"
"github.com/go-chi/chi/middleware"
"github.com/go-chi/cors"
"github.com/prometheus/client_golang/prometheus"
@@ -65,14 +66,30 @@ func commonMiddlewares() []func(http.Handler) http.Handler {
next.ServeHTTP(context.NewResponse(resp), req)
})
},
- middleware.RealIP,
- middleware.StripSlashes,
}
+
+ if setting.ReverseProxyLimit > 0 {
+ opt := proxy.NewForwardedHeadersOptions().
+ WithForwardLimit(setting.ReverseProxyLimit).
+ ClearTrustedProxies()
+ for _, n := range setting.ReverseProxyTrustedProxies {
+ if !strings.Contains(n, "/") {
+ opt.AddTrustedProxy(n)
+ } else {
+ opt.AddTrustedNetwork(n)
+ }
+ }
+ handlers = append(handlers, proxy.ForwardedHeaders(opt))
+ }
+
+ handlers = append(handlers, middleware.StripSlashes)
+
if !setting.DisableRouterLog && setting.RouterLogLevel != log.NONE {
if log.GetLogger("router").GetLevel() <= setting.RouterLogLevel {
handlers = append(handlers, LoggerHandler(setting.RouterLogLevel))
}
}
+
handlers = append(handlers, func(next http.Handler) http.Handler {
return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
// Why we need this? The Recovery() will try to render a beautiful
diff --git a/vendor/github.com/chi-middleware/proxy/.drone.yml b/vendor/github.com/chi-middleware/proxy/.drone.yml
new file mode 100644
index 0000000000..48a22d06cb
--- /dev/null
+++ b/vendor/github.com/chi-middleware/proxy/.drone.yml
@@ -0,0 +1,42 @@
+---
+kind: pipeline
+name: compliance
+
+platform:
+ os: linux
+ arch: amd64
+
+steps:
+ - name: lint
+ pull: always
+ image: golang:1.14
+ commands:
+ - make fmt-check
+ - make misspell-check
+ - make lint
+
+ - name: test
+ pull: always
+ image: golang:1.14
+ commands:
+ - make test
+ depends_on:
+ - lint
+
+ - name: coverage
+ pull: always
+ image: robertstettner/drone-codecov
+ settings:
+ files:
+ - coverage.out
+ environment:
+ CODECOV_TOKEN:
+ from_secret: codecov_token
+ depends_on:
+ - test
+ when:
+ branch:
+ - master
+ event:
+ - push
+ - pull_request \ No newline at end of file
diff --git a/vendor/github.com/chi-middleware/proxy/.gitignore b/vendor/github.com/chi-middleware/proxy/.gitignore
new file mode 100644
index 0000000000..f70a965d95
--- /dev/null
+++ b/vendor/github.com/chi-middleware/proxy/.gitignore
@@ -0,0 +1,2 @@
+vendor/
+coverage.out
diff --git a/vendor/github.com/chi-middleware/proxy/.golangci.yml b/vendor/github.com/chi-middleware/proxy/.golangci.yml
new file mode 100644
index 0000000000..87c693d25e
--- /dev/null
+++ b/vendor/github.com/chi-middleware/proxy/.golangci.yml
@@ -0,0 +1,9 @@
+run:
+ timeout: 3m
+
+issues:
+ exclude-rules:
+ # Exclude some linters from running on tests files.
+ - path: _test\.go
+ linters:
+ - errcheck \ No newline at end of file
diff --git a/vendor/github.com/chi-middleware/proxy/.revive.toml b/vendor/github.com/chi-middleware/proxy/.revive.toml
new file mode 100644
index 0000000000..64e223bbfa
--- /dev/null
+++ b/vendor/github.com/chi-middleware/proxy/.revive.toml
@@ -0,0 +1,25 @@
+ignoreGeneratedHeader = false
+severity = "warning"
+confidence = 0.8
+errorCode = 1
+warningCode = 1
+
+[rule.blank-imports]
+[rule.context-as-argument]
+[rule.context-keys-type]
+[rule.dot-imports]
+[rule.error-return]
+[rule.error-strings]
+[rule.error-naming]
+[rule.exported]
+[rule.if-return]
+[rule.increment-decrement]
+[rule.var-naming]
+[rule.var-declaration]
+[rule.package-comments]
+[rule.range]
+[rule.receiver-naming]
+[rule.time-naming]
+[rule.unexported-return]
+[rule.indent-error-flow]
+[rule.errorf] \ No newline at end of file
diff --git a/vendor/github.com/chi-middleware/proxy/LICENSE b/vendor/github.com/chi-middleware/proxy/LICENSE
new file mode 100644
index 0000000000..35cf15903b
--- /dev/null
+++ b/vendor/github.com/chi-middleware/proxy/LICENSE
@@ -0,0 +1,19 @@
+Copyright (c) 2020 Lauris BH
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/vendor/github.com/chi-middleware/proxy/Makefile b/vendor/github.com/chi-middleware/proxy/Makefile
new file mode 100644
index 0000000000..1514d4cc89
--- /dev/null
+++ b/vendor/github.com/chi-middleware/proxy/Makefile
@@ -0,0 +1,59 @@
+GO ?= go
+HAS_GO = $(shell hash $(GO) > /dev/null 2>&1 && echo "GO" || echo "NOGO" )
+ifeq ($(HAS_GO), GO)
+ GOPATH ?= $(shell $(GO) env GOPATH)
+ export PATH := $(GOPATH)/bin:$(PATH)
+endif
+
+GOFMT ?= gofmt -s
+
+ifneq ($(RACE_ENABLED),)
+ GOTESTFLAGS ?= -race
+endif
+
+GO_SOURCES := $(wildcard *.go)
+GO_SOURCES_OWN := $(filter-out vendor/%, $(GO_SOURCES))
+GO_PACKAGES ?= $(shell $(GO) list ./... | grep -v /vendor/)
+
+.PHONY: revive
+revive:
+ @hash revive > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
+ $(GO) get -u github.com/mgechev/revive; \
+ fi
+ revive -config .revive.toml -exclude=./vendor/... ./... || exit 1
+
+.PHONY: golangci-lint
+golangci-lint:
+ @hash golangci-lint > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
+ export BINARY="golangci-lint"; \
+ curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(GOPATH)/bin v1.26.0; \
+ fi
+ golangci-lint run --timeout 5m
+
+.PHONY: lint
+lint: golangci-lint revive
+
+.PHONY: fmt
+fmt:
+ $(GOFMT) -w $(GO_SOURCES_OWN)
+
+.PHONY: fmt-check
+fmt-check:
+ # get all go files and run go fmt on them
+ @diff=$$($(GOFMT) -d $(GO_SOURCES_OWN)); \
+ if [ -n "$$diff" ]; then \
+ echo "Please run 'make fmt' and commit the result:"; \
+ echo "$${diff}"; \
+ exit 1; \
+ fi;
+
+.PHONY: misspell-check
+misspell-check:
+ @hash misspell > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
+ $(GO) get -u github.com/client9/misspell/cmd/misspell; \
+ fi
+ misspell -error $(GO_SOURCES_OWN)
+
+.PHONY: test
+test:
+ $(GO) test -cover -coverprofile coverage.out $(GOTESTFLAGS) $(GO_PACKAGES)
diff --git a/vendor/github.com/chi-middleware/proxy/README.md b/vendor/github.com/chi-middleware/proxy/README.md
new file mode 100644
index 0000000000..2ddaedc5aa
--- /dev/null
+++ b/vendor/github.com/chi-middleware/proxy/README.md
@@ -0,0 +1,46 @@
+# [Chi](https://github.com/go-chi/chi) proxy middleware
+
+Forwarded headers middleware to use if application is run behind reverse proxy.
+
+[![Documentation](https://godoc.org/github.com/chi-middleware/proxy?status.svg)](https://pkg.go.dev/github.com/chi-middleware/proxy)
+[![codecov](https://codecov.io/gh/chi-middleware/proxy/branch/master/graph/badge.svg)](https://codecov.io/gh/chi-middleware/proxy)
+[![Go Report Card](https://goreportcard.com/badge/github.com/chi-middleware/proxy)](https://goreportcard.com/report/github.com/chi-middleware/proxy)
+[![Build Status](https://cloud.drone.io/api/badges/chi-middleware/proxy/status.svg?ref=refs/heads/master)](https://cloud.drone.io/chi-middleware/proxy)
+
+## Usage
+
+Import using:
+
+```go
+import "github.com/chi-middleware/proxy"
+```
+
+Use middleware with default options (trusted from proxy `127.0.0.1` and trusts only last IP address provided in header):
+
+```go
+ r := chi.NewRouter()
+ r.Use(proxy.ForwardedHeaders())
+```
+
+Extend default options:
+
+```go
+ r := chi.NewRouter()
+ r.Use(proxy.ForwardedHeaders(
+ proxy.NewForwardedHeadersOptions().
+ WithForwardLimit(2).
+ ClearTrustedProxies().AddTrustedProxy("10.0.0.1"),
+ ))
+```
+
+Provide custom options:
+
+```go
+ r := chi.NewRouter()
+ r.Use(proxy.ForwardedHeaders(&ForwardedHeadersOptions{
+ ForwardLimit: 1,
+ TrustedProxies: []net.IP{
+ net.IPv4(10, 0, 0, 1),
+ },
+ }))
+```
diff --git a/vendor/github.com/chi-middleware/proxy/go.mod b/vendor/github.com/chi-middleware/proxy/go.mod
new file mode 100644
index 0000000000..c7fe900f2d
--- /dev/null
+++ b/vendor/github.com/chi-middleware/proxy/go.mod
@@ -0,0 +1,8 @@
+module github.com/chi-middleware/proxy
+
+go 1.14
+
+require (
+ github.com/go-chi/chi/v5 v5.0.1
+ github.com/stretchr/testify v1.7.0
+)
diff --git a/vendor/github.com/chi-middleware/proxy/go.sum b/vendor/github.com/chi-middleware/proxy/go.sum
new file mode 100644
index 0000000000..ed869e2622
--- /dev/null
+++ b/vendor/github.com/chi-middleware/proxy/go.sum
@@ -0,0 +1,14 @@
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/go-chi/chi/v5 v5.0.1 h1:ALxjCrTf1aflOlkhMnCUP86MubbWFrzB3gkRPReLpTo=
+github.com/go-chi/chi/v5 v5.0.1/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/vendor/github.com/chi-middleware/proxy/middleware.go b/vendor/github.com/chi-middleware/proxy/middleware.go
new file mode 100644
index 0000000000..9315e2e023
--- /dev/null
+++ b/vendor/github.com/chi-middleware/proxy/middleware.go
@@ -0,0 +1,77 @@
+// Copyright 2020 Lauris BH. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package proxy
+
+// Ported from Goji's middleware, source:
+// https://github.com/zenazn/goji/tree/master/web/middleware
+
+import (
+ "net"
+ "net/http"
+ "strings"
+)
+
+var xForwardedFor = http.CanonicalHeaderKey("X-Forwarded-For")
+var xRealIP = http.CanonicalHeaderKey("X-Real-IP")
+
+// ForwardedHeaders is a middleware that sets a http.Request's RemoteAddr to the results
+// of parsing either the X-Real-IP header or the X-Forwarded-For header (in that
+// order).
+func ForwardedHeaders(options ...*ForwardedHeadersOptions) func(h http.Handler) http.Handler {
+ opt := defaultOptions
+ if len(options) > 0 {
+ opt = options[0]
+ }
+ return func(h http.Handler) http.Handler {
+ fn := func(w http.ResponseWriter, r *http.Request) {
+ // Treat unix socket as 127.0.0.1
+ if r.RemoteAddr == "@" {
+ r.RemoteAddr = "127.0.0.1:0"
+ }
+ if rip := realIP(r, opt); len(rip) > 0 {
+ r.RemoteAddr = net.JoinHostPort(rip, "0")
+ }
+
+ h.ServeHTTP(w, r)
+ }
+
+ return http.HandlerFunc(fn)
+ }
+}
+
+func realIP(r *http.Request, options *ForwardedHeadersOptions) string {
+ host, _, err := net.SplitHostPort(r.RemoteAddr)
+ if err != nil {
+ return ""
+ }
+
+ if !options.isTrustedProxy(net.ParseIP(host)) {
+ return ""
+ }
+
+ var ip string
+
+ if xrip := r.Header.Get(xRealIP); xrip != "" {
+ ip = xrip
+ } else if xff := r.Header.Get(xForwardedFor); xff != "" {
+ p := 0
+ for i := options.ForwardLimit; i > 0; i-- {
+ if p > 0 {
+ xff = xff[:p-2]
+ }
+ p = strings.LastIndex(xff, ", ")
+ if p < 0 {
+ p = 0
+ break
+ } else {
+ p += 2
+ }
+ }
+
+ ip = xff[p:]
+ }
+
+ return ip
+}
diff --git a/vendor/github.com/chi-middleware/proxy/options.go b/vendor/github.com/chi-middleware/proxy/options.go
new file mode 100644
index 0000000000..f5c2f946de
--- /dev/null
+++ b/vendor/github.com/chi-middleware/proxy/options.go
@@ -0,0 +1,115 @@
+// Copyright 2020 Lauris BH. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package proxy
+
+import (
+ "net"
+)
+
+// ForwardedHeadersOptions represents options for forwarded header middleware
+type ForwardedHeadersOptions struct {
+ // ForwardLimit limits the number of entries in the headers that will be processed.
+ // The default value is 1. Set to 0 to disable the limit.
+ ForwardLimit int
+ // TrustingAllProxies option sets to trust all proxies.
+ TrustingAllProxies bool
+ // KnownProxies represents addresses of trusted proxies.
+ TrustedProxies []net.IP
+ // TrustedNetworks represents addresses of trusted networks.
+ TrustedNetworks []*net.IPNet
+}
+
+var defaultOptions = &ForwardedHeadersOptions{
+ ForwardLimit: 1,
+ TrustedProxies: []net.IP{
+ net.IPv4(127, 0, 0, 1),
+ },
+}
+
+// NewForwardedHeadersOptions creates new middleware options
+func NewForwardedHeadersOptions() *ForwardedHeadersOptions {
+ return &ForwardedHeadersOptions{
+ ForwardLimit: defaultOptions.ForwardLimit,
+ TrustedProxies: defaultOptions.TrustedProxies,
+ TrustedNetworks: defaultOptions.TrustedNetworks,
+ }
+}
+
+// WithForwardLimit sets number of entries to be processed
+func (opts *ForwardedHeadersOptions) WithForwardLimit(limit int) *ForwardedHeadersOptions {
+ opts.ForwardLimit = limit
+ return opts
+}
+
+// TrustAllProxies sets to trust all proxies
+func (opts *ForwardedHeadersOptions) TrustAllProxies() *ForwardedHeadersOptions {
+ opts.TrustingAllProxies = true
+ return opts
+}
+
+// ClearTrustedProxies clears trusted proxy list
+func (opts *ForwardedHeadersOptions) ClearTrustedProxies() *ForwardedHeadersOptions {
+ opts.TrustingAllProxies = false
+ opts.TrustedProxies = make([]net.IP, 0)
+ return opts
+}
+
+// AddTrustedProxy adds proxy IP to trusted proxy list
+func (opts *ForwardedHeadersOptions) AddTrustedProxy(ip string) *ForwardedHeadersOptions {
+ // Special option to trust all proxies if IP address is set as wildcard
+ if ip == "*" {
+ opts.TrustingAllProxies = true
+ return opts
+ }
+
+ ipaddr := net.ParseIP(ip)
+ if ipaddr == nil {
+ return opts
+ }
+
+ opts.TrustedProxies = append(opts.TrustedProxies, ipaddr)
+ return opts
+}
+
+// ClearTrustedNetworks clears trusted network list
+func (opts *ForwardedHeadersOptions) ClearTrustedNetworks() *ForwardedHeadersOptions {
+ opts.TrustedNetworks = make([]*net.IPNet, 0)
+ return opts
+}
+
+// AddTrustedNetwork adds network to trusted network list
+func (opts *ForwardedHeadersOptions) AddTrustedNetwork(cidr string) *ForwardedHeadersOptions {
+ _, netmask, err := net.ParseCIDR(cidr)
+ if err != nil || netmask == nil {
+ return opts
+ }
+
+ opts.TrustedNetworks = append(opts.TrustedNetworks, netmask)
+ return opts
+}
+
+func (opts *ForwardedHeadersOptions) isTrustedProxy(ip net.IP) bool {
+ if opts.TrustingAllProxies {
+ return true
+ }
+
+ if ip == nil {
+ return false
+ }
+
+ for _, tip := range opts.TrustedProxies {
+ if tip.Equal(ip) {
+ return true
+ }
+ }
+
+ for _, tnet := range opts.TrustedNetworks {
+ if tnet.Contains(ip) {
+ return true
+ }
+ }
+
+ return false
+}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 840b9878f9..a9c6f6c1c3 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -175,6 +175,9 @@ github.com/bradfitz/gomemcache/memcache
github.com/caddyserver/certmagic
# github.com/cespare/xxhash/v2 v2.1.1
github.com/cespare/xxhash/v2
+# github.com/chi-middleware/proxy v1.1.1
+## explicit
+github.com/chi-middleware/proxy
# github.com/chris-ramon/douceur v0.2.0
github.com/chris-ramon/douceur/parser
# github.com/couchbase/go-couchbase v0.0.0-20210224140812-5740cd35f448