diff options
author | Côme Chilliet <91878298+come-nc@users.noreply.github.com> | 2023-11-21 09:50:38 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-11-21 09:50:38 +0100 |
commit | 24c2c09aeae1e99f9d6f1dff0103db3b6198cb4f (patch) | |
tree | 9b13480ab888dc66a332396f952b00d82cb308d3 /apps/settings/lib | |
parent | 0e433501bbe68b42bd466c43bfb8ef0afb75c820 (diff) | |
parent | ad372869bc803c3540fd8657c4fcb643d3db5b08 (diff) | |
download | nextcloud-server-24c2c09aeae1e99f9d6f1dff0103db3b6198cb4f.tar.gz nextcloud-server-24c2c09aeae1e99f9d6f1dff0103db3b6198cb4f.zip |
Merge pull request #41438 from nextcloud/feat/migrate-forwarded-for-headers-check
Migrate forwarded for headers check
Diffstat (limited to 'apps/settings/lib')
-rw-r--r-- | apps/settings/lib/AppInfo/Application.php | 2 | ||||
-rw-r--r-- | apps/settings/lib/Controller/CheckSetupController.php | 26 | ||||
-rw-r--r-- | apps/settings/lib/SetupChecks/BruteForceThrottler.php | 14 | ||||
-rw-r--r-- | apps/settings/lib/SetupChecks/ForwardedForHeaders.php | 94 |
4 files changed, 105 insertions, 31 deletions
diff --git a/apps/settings/lib/AppInfo/Application.php b/apps/settings/lib/AppInfo/Application.php index 6f4a94bdda9..d694e650b48 100644 --- a/apps/settings/lib/AppInfo/Application.php +++ b/apps/settings/lib/AppInfo/Application.php @@ -53,6 +53,7 @@ use OCA\Settings\SetupChecks\CheckUserCertificates; use OCA\Settings\SetupChecks\DefaultPhoneRegionSet; use OCA\Settings\SetupChecks\EmailTestSuccessful; use OCA\Settings\SetupChecks\FileLocking; +use OCA\Settings\SetupChecks\ForwardedForHeaders; use OCA\Settings\SetupChecks\InternetConnectivity; use OCA\Settings\SetupChecks\LegacySSEKeyFormat; use OCA\Settings\SetupChecks\MemcacheConfigured; @@ -162,6 +163,7 @@ class Application extends App implements IBootstrap { $context->registerSetupCheck(DefaultPhoneRegionSet::class); $context->registerSetupCheck(EmailTestSuccessful::class); $context->registerSetupCheck(FileLocking::class); + $context->registerSetupCheck(ForwardedForHeaders::class); $context->registerSetupCheck(InternetConnectivity::class); $context->registerSetupCheck(LegacySSEKeyFormat::class); $context->registerSetupCheck(MemcacheConfigured::class); diff --git a/apps/settings/lib/Controller/CheckSetupController.php b/apps/settings/lib/Controller/CheckSetupController.php index 6d74a670a07..13e54063d8a 100644 --- a/apps/settings/lib/Controller/CheckSetupController.php +++ b/apps/settings/lib/Controller/CheckSetupController.php @@ -247,31 +247,6 @@ class CheckSetupController extends Controller { } /** - * Check if the reverse proxy configuration is working as expected - * - * @return bool - */ - private function forwardedForHeadersWorking(): bool { - $trustedProxies = $this->config->getSystemValue('trusted_proxies', []); - $remoteAddress = $this->request->getHeader('REMOTE_ADDR'); - - if (empty($trustedProxies) && $this->request->getHeader('X-Forwarded-Host') !== '') { - return false; - } - - if (\is_array($trustedProxies)) { - if (\in_array($remoteAddress, $trustedProxies, true) && $remoteAddress !== '127.0.0.1') { - return $remoteAddress !== $this->request->getRemoteAddress(); - } - } else { - return false; - } - - // either not enabled or working correctly - return true; - } - - /** * Checks if the correct memcache module for PHP is installed. Only * fails if memcached is configured and the working module is not installed. * @@ -721,7 +696,6 @@ Raw output 'cronErrors' => $this->getCronErrors(), 'isFairUseOfFreePushService' => $this->isFairUseOfFreePushService(), 'isUsedTlsLibOutdated' => $this->isUsedTlsLibOutdated(), - 'forwardedForHeadersWorking' => $this->forwardedForHeadersWorking(), 'reverseProxyDocs' => $this->urlGenerator->linkToDocs('admin-reverse-proxy'), 'isCorrectMemcachedPHPModuleInstalled' => $this->isCorrectMemcachedPHPModuleInstalled(), 'hasPassedCodeIntegrityCheck' => $this->checker->hasPassedCheck(), diff --git a/apps/settings/lib/SetupChecks/BruteForceThrottler.php b/apps/settings/lib/SetupChecks/BruteForceThrottler.php index 6c1efd56bc1..3fbdf2d788a 100644 --- a/apps/settings/lib/SetupChecks/BruteForceThrottler.php +++ b/apps/settings/lib/SetupChecks/BruteForceThrottler.php @@ -53,17 +53,21 @@ class BruteForceThrottler implements ISetupCheck { public function run(): SetupResult { $address = $this->request->getRemoteAddress(); if ($address === '') { - return SetupResult::info( - $this->l10n->t('Your remote address could not be determined.') - ); + if (\OC::$CLI) { + /* We were called from CLI */ + return SetupResult::info($this->l10n->t('Your remote address could not be determined.')); + } else { + /* Should never happen */ + return SetupResult::error($this->l10n->t('Your remote address could not be determined.')); + } } elseif ($this->throttler->showBruteforceWarning($address)) { return SetupResult::error( - $this->l10n->t('Your remote address was identified as "%s" and is bruteforce throttled at the moment slowing down the performance of various requests. If the remote address is not your address this can be an indication that a proxy is not configured correctly.', $address), + $this->l10n->t('Your remote address was identified as "%s" and is bruteforce throttled at the moment slowing down the performance of various requests. If the remote address is not your address this can be an indication that a proxy is not configured correctly.', [$address]), $this->urlGenerator->linkToDocs('admin-reverse-proxy') ); } else { return SetupResult::success( - $this->l10n->t('Your remote address "%s" is not bruteforce throttled.', $address) + $this->l10n->t('Your remote address "%s" is not bruteforce throttled.', [$address]) ); } } diff --git a/apps/settings/lib/SetupChecks/ForwardedForHeaders.php b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php new file mode 100644 index 00000000000..3572feabb1f --- /dev/null +++ b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php @@ -0,0 +1,94 @@ +<?php + +declare(strict_types=1); + +/** + * @copyright Copyright (c) 2023 Côme Chilliet <come.chilliet@nextcloud.com> + * + * @author Côme Chilliet <come.chilliet@nextcloud.com> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\Settings\SetupChecks; + +use OCP\IConfig; +use OCP\IL10N; +use OCP\IRequest; +use OCP\IURLGenerator; +use OCP\SetupCheck\ISetupCheck; +use OCP\SetupCheck\SetupResult; + +class ForwardedForHeaders implements ISetupCheck { + public function __construct( + private IL10N $l10n, + private IConfig $config, + private IURLGenerator $urlGenerator, + private IRequest $request, + ) { + } + + public function getCategory(): string { + return 'security'; + } + + public function getName(): string { + return $this->l10n->t('Forwared for headers'); + } + + public function run(): SetupResult { + $trustedProxies = $this->config->getSystemValue('trusted_proxies', []); + $remoteAddress = $this->request->getHeader('REMOTE_ADDR'); + $detectedRemoteAddress = $this->request->getRemoteAddress(); + + if (!\is_array($trustedProxies)) { + return SetupResult::error($this->l10n->t('Your trusted_proxies setting is not correctly set, it should be an array.')); + } + + if (($remoteAddress === '') && ($detectedRemoteAddress === '')) { + if (\OC::$CLI) { + /* We were called from CLI */ + return SetupResult::info($this->l10n->t('Your remote address could not be determined.')); + } else { + /* Should never happen */ + return SetupResult::error($this->l10n->t('Your remote address could not be determined.')); + } + } + + if (empty($trustedProxies) && $this->request->getHeader('X-Forwarded-Host') !== '') { + return SetupResult::error( + $this->l10n->t('The reverse proxy header configuration is incorrect. This is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.'), + $this->urlGenerator->linkToDocs('admin-reverse-proxy') + ); + } + + if (\in_array($remoteAddress, $trustedProxies, true) && ($remoteAddress !== '127.0.0.1')) { + if ($remoteAddress !== $detectedRemoteAddress) { + /* Remote address was successfuly fixed */ + return SetupResult::success($this->l10n->t('Your IP address was resolved as %s', [$detectedRemoteAddress])); + } else { + return SetupResult::warning( + $this->l10n->t('The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.'), + $this->urlGenerator->linkToDocs('admin-reverse-proxy') + ); + } + } + + /* Either not enabled or working correctly */ + return SetupResult::success(); + } +} |