Bladeren bron
log real ip of requests from ssh (#21216)
Partially fix #21213. This PR will get client IP address from SSH_CONNECTION env which should be the first field of that. And deliver it to the internal API so Gitea routers could record the real IP from SSH requests. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: zeripath <art27@cantab.net>tags/v1.18.0-rc0
Lunny Xiao
1 jaar geleden
2 gewijzigde bestanden met toevoegingen van 17 en 2 verwijderingen
+ 13
- 2
modules/private/internal.go
Bestand weergeven
| "fmt" | "fmt" | ||||
| "net" | "net" | ||||
| "net/http" | "net/http" | ||||
| "os" | |||||
| "strings" | |||||
| "code.gitea.io/gitea/modules/httplib" | "code.gitea.io/gitea/modules/httplib" | ||||
| "code.gitea.io/gitea/modules/json" | "code.gitea.io/gitea/modules/json" | ||||
| "code.gitea.io/gitea/modules/setting" | "code.gitea.io/gitea/modules/setting" | ||||
| ) | ) | ||||
| func newRequest(ctx context.Context, url, method string) *httplib.Request { | |||||
| func newRequest(ctx context.Context, url, method, sourceIP string) *httplib.Request { | |||||
| if setting.InternalToken == "" { | if setting.InternalToken == "" { | ||||
| log.Fatal(`The INTERNAL_TOKEN setting is missing from the configuration file: %q. | log.Fatal(`The INTERNAL_TOKEN setting is missing from the configuration file: %q. | ||||
| Ensure you are running in the correct environment or set the correct configuration file with -c.`, setting.CustomConf) | Ensure you are running in the correct environment or set the correct configuration file with -c.`, setting.CustomConf) | ||||
| } | } | ||||
| return httplib.NewRequest(url, method). | return httplib.NewRequest(url, method). | ||||
| SetContext(ctx). | SetContext(ctx). | ||||
| Header("X-Real-IP", sourceIP). | |||||
| Header("Authorization", fmt.Sprintf("Bearer %s", setting.InternalToken)) | Header("Authorization", fmt.Sprintf("Bearer %s", setting.InternalToken)) | ||||
| } | } | ||||
| return &res | return &res | ||||
| } | } | ||||
| func getClientIP() string { | |||||
| sshConnEnv := strings.TrimSpace(os.Getenv("SSH_CONNECTION")) | |||||
| if len(sshConnEnv) == 0 { | |||||
| return "127.0.0.1" | |||||
| } | |||||
| return strings.Fields(sshConnEnv)[0] | |||||
| } | |||||
| func newInternalRequest(ctx context.Context, url, method string) *httplib.Request { | func newInternalRequest(ctx context.Context, url, method string) *httplib.Request { | ||||
| req := newRequest(ctx, url, method).SetTLSClientConfig(&tls.Config{ | |||||
| req := newRequest(ctx, url, method, getClientIP()).SetTLSClientConfig(&tls.Config{ | |||||
| InsecureSkipVerify: true, | InsecureSkipVerify: true, | ||||
| ServerName: setting.Domain, | ServerName: setting.Domain, | ||||
| }) | }) |
+ 4
- 0
routers/private/internal.go
Bestand weergeven
| "code.gitea.io/gitea/modules/web" | "code.gitea.io/gitea/modules/web" | ||||
| "gitea.com/go-chi/binding" | "gitea.com/go-chi/binding" | ||||
| chi_middleware "github.com/go-chi/chi/v5/middleware" | |||||
| ) | ) | ||||
| // CheckInternalToken check internal token is set | // CheckInternalToken check internal token is set | ||||
| r := web.NewRoute() | r := web.NewRoute() | ||||
| r.Use(context.PrivateContexter()) | r.Use(context.PrivateContexter()) | ||||
| r.Use(CheckInternalToken) | r.Use(CheckInternalToken) | ||||
| // Log the real ip address of the request from SSH is really helpful for diagnosing sometimes. | |||||
| // Since internal API will be sent only from Gitea sub commands and it's under control (checked by InternalToken), we can trust the headers. | |||||
| r.Use(chi_middleware.RealIP) | |||||
| r.Post("/ssh/authorized_keys", AuthorizedPublicKeyByContent) | r.Post("/ssh/authorized_keys", AuthorizedPublicKeyByContent) | ||||
| r.Post("/ssh/{id}/update/{repoid}", UpdatePublicKeyInRepo) | r.Post("/ssh/{id}/update/{repoid}", UpdatePublicKeyInRepo) |
Laden…