parse xff before deciding to reject a connection

this commit partially fixes the following issue: if a client manages to escape real-ip detection, copyparty will try to ban the reverse-proxy instead, effectively banning all clients this can happen if the configuration says to obtain client real-ip from a cloudflare header, but the server is not configured to reject connections from non-cloudflare IPs, so a scanner will eventually hit the server IP with malicious-looking requests and trigger a ban copyparty will now continue to process requests from banned IPs until the header has been parsed and the real-ip has been obtained (or not), causing an increased server load from malicious clients assuming the `--xff-src` and `--xff-hdr` config is correct, this issue should no longer be hitting innocent clients the old behavior of immediately rejecting a banned IP address can be re-enabled with the new option `--early-ban`
9001 · Mar 17, 2024 · 51d3158 · 51d3158
1 parent 32553e4
commit 51d3158
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/copyparty/__main__.py b/copyparty/__main__.py
@@ -1122,6 +1122,7 @@ def add_safety(ap):
     ap2.add_argument("--ban-url", metavar="N,W,B", type=u, default="9,2,1440", help="hitting more than \033[33mN\033[0m sus URL's in \033[33mW\033[0m minutes = ban for \033[33mB\033[0m minutes; applies only to permissions g/G/h (decent replacement for \033[33m--ban-404\033[0m if that can't be used)")
     ap2.add_argument("--sus-urls", metavar="R", type=u, default=r"\.php$|(^|/)wp-(admin|content|includes)/", help="URLs which are considered sus / eligible for banning; disable with blank or [\033[32mno\033[0m]")
     ap2.add_argument("--nonsus-urls", metavar="R", type=u, default=r"^(favicon\.ico|robots\.txt)$|^apple-touch-icon|^\.well-known", help="harmless URLs ignored from 404-bans; disable with blank or [\033[32mno\033[0m]")
+    ap2.add_argument("--early-ban", action="store_true", help="if a client is banned, reject its connection as soon as possible; not a good idea to enable when proxied behind cloudflare since it could ban your reverse-proxy")
     ap2.add_argument("--aclose", metavar="MIN", type=int, default=10, help="if a client maxes out the server connection limit, downgrade it from connection:keep-alive to connection:close for \033[33mMIN\033[0m minutes (and also kill its active connections) -- disable with 0")
     ap2.add_argument("--loris", metavar="B", type=int, default=60, help="if a client maxes out the server connection limit without sending headers, ban it for \033[33mB\033[0m minutes; disable with [\033[32m0\033[0m]")
     ap2.add_argument("--acao", metavar="V[,V]", type=u, default="*", help="Access-Control-Allow-Origin; list of origins (domains/IPs without port) to accept requests from; [\033[32mhttps://1.2.3.4\033[0m]. Default [\033[32m*\033[0m] allows requests from all sites but removes cookies and http-auth; only ?pw=hunter2 survives")

diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
@@ -228,7 +228,7 @@ def run(self) -> bool:
             "Cache-Control": "no-store, max-age=0",
         }
 
-        if self.is_banned():
+        if self.args.early_ban and self.is_banned():
             return False
 
         if self.conn.ipa_nm and not self.conn.ipa_nm.map(self.conn.addr[0]):