Skip to content

Commit

Permalink
Merge pull request perlbal#3 from abh/master
Browse files Browse the repository at this point in the history 
support multiple netmasks for trusted_upstream_proxies
  • Loading branch information
@abh
abh committed Aug 17, 2011
2 parents ce75605 + 72c0e46 commit 10557ca
Show file tree
Hide file tree
Showing 7 changed files with 37 additions and 12 deletions.
2 changes: 1 addition & 1 deletion devtools/gendocs.pl
View file
@@ -1,4 +1,4 @@
#!/usr/bin/perl
#!/usr/bin/env perl
#

use strict;
Expand Down
3 changes: 0 additions & 3 deletions doc/hacking/todo.txt
View file
Expand Up @@ -70,9 +70,6 @@
* getter commands to retrieve the running config (GET?) or DUMP/SHOW/LIST
http://rt.livejournal.org/Ticket/Display.html?id=2783

* add tests for 'trusted_upstream_proxies' and 'always_trusted'
http://rt.livejournal.org/Ticket/Display.html?id=2784

* get rid of httpres vs. res distinction in HTTPHeaders
http://rt.livejournal.org/Ticket/Display.html?id=2785

Expand Down
9 changes: 8 additions & 1 deletion doc/service-parameters.txt
View file
Expand Up @@ -75,6 +75,10 @@ For all services:
| | | |service that maps onto |
| | | |other services. |
|---------------------------+----+---------------------+---------------------------|
| | | |Path to directory |
|ssl_ca_path | | |containing certificates for|
| | | |SSL. |
|---------------------------+----+---------------------+---------------------------|
|ssl_cert_file | |certs/server-cert.pem|Path to certificate PEM |
| | | |file for SSL. |
|---------------------------+----+---------------------+---------------------------|
Expand All @@ -83,7 +87,10 @@ For all services:
|ssl_key_file | |certs/server-key.pem |Path to private key PEM |
| | | |file for SSL. |
|---------------------------+----+---------------------+---------------------------|
| | | |A Net::Netmask filter (e.g.|
|ssl_verify_mode |int |0 |SSL verification mode |
|---------------------------+----+---------------------+---------------------------|
| | | |A comma separated list of |
| | | |Net::Netmask filters (e.g. |
| | | |10.0.0.0/24, see |
| | | |Net::Netmask) that |
|trusted_upstream_proxies | | |determines whether upstream|
Expand Down
2 changes: 1 addition & 1 deletion lib/Perlbal/Manual/Internals.pod
View file
Expand Up @@ -775,7 +775,7 @@ Int, 0-100; % chance to take a standard priority request when we're in pressure

=item trusted_upstream_proxies

L<Net::Netmask> object containing netmasks for trusted upstreams.
Array of L<Net::Netmask> objects containing netmasks for trusted upstreams.


=item always_trusted
Expand Down
2 changes: 1 addition & 1 deletion lib/Perlbal/Manual/ReverseProxy.pod
View file
Expand Up @@ -289,7 +289,7 @@ Default is C<certs/server-key.pem>.

=item B<trusted_upstream_proxies> = Net::Netmask filter

A L<Net::Netmask> filter (e.g. 10.0.0.0/24, see L<Net::Netmask>) that determines whether upstream clients are trusted or not, where trusted means their X-Forwarded-For/etc headers are not munged.
A comma separated list of L<Net::Netmask> filters (e.g. 10.0.0.0/24, see L<Net::Netmask>) that determines whether upstream clients are trusted or not, where trusted means their X-Forwarded-For/etc headers are not munged.


=item B<upload_status_listeners> = comma separated list of hosts
Expand Down
26 changes: 21 additions & 5 deletions lib/Perlbal/Service.pm
View file
Expand Up @@ -376,7 +376,7 @@ our $tunables = {
},

'trusted_upstream_proxies' => {
des => "A Net::Netmask filter (e.g. 10.0.0.0/24, see Net::Netmask) that determines whether upstream clients are trusted or not, where trusted means their X-Forwarded-For/etc headers are not munged.",
des => "A comma separated list of Net::Netmask filters (e.g. 10.0.0.0/24, see Net::Netmask) that determines whether upstream clients are trusted or not, where trusted means their X-Forwarded-For/etc headers are not munged.",
check_role => "*",
check_type => sub {
my ($self, $val, $errref) = @_;
Expand All @@ -385,9 +385,23 @@ our $tunables = {
return 0;
}

return 1 if $self->{trusted_upstream_proxies} = Net::Netmask->new2($val);
$$errref = "Error defining trusted upstream proxies: " . Net::Netmask::errstr();
return 0;
my @val = split /\s*,\s*/, $val;
my @trusted_upstreams = ();

for my $ip (@val) {
my $net = Net::Netmask->new2($ip);
unless ($net) {
$$errref = "Error defining trusted upstream proxies: " . Net::Netmask::errstr();
return 0;
}
push @trusted_upstreams, $net;
}

unless (@trusted_upstreams) {
$$errref = "Error defining trusted upstream proxies: None found";
return 0;
}
$self->{trusted_upstream_proxies} = \@trusted_upstreams;
},
setter => sub {
my ($self, $val, $set, $mc) = @_;
Expand Down Expand Up @@ -1456,7 +1470,9 @@ sub trusted_ip {
return 0 unless $tmap;

# try to use it as a Net::Netmask object
return 1 if eval { $tmap->match($ip); };
for my $tmap (@{ $self->{trusted_upstream_proxies} }) {
return 1 if eval { $tmap->match($ip); };
}
return 0;
}

Expand Down
5 changes: 5 additions & 0 deletions t/90-accesscontrol.t
View file
Expand Up @@ -72,6 +72,11 @@ ok(manage("SET trusted_upstream_proxies = 127.0.0.1"), "Turning trusted upstream
ok(!check(), "Denied");
ok(check(["X-Forwarded-For" => "1.1.1.1"]), "Allowed with XFF header");

ok(manage("SET trusted_upstream_proxies = 10.0.0.0/24, 127.0.0.1"), "Turning trusted upstream proxies on for multiple netmasks");

ok(!check(), "Denied");
ok(check(["X-Forwarded-For" => "1.1.1.1"]), "Allowed with XFF header");

ok(manage("SET test.AccessControl.use_observed_ip = 0"), "Turning off observed IP");
ok(!check(["X-Forwarded-For" => "1.1.1.1"]), "Denied with XFF header");

0 comments on commit 10557ca

Please sign in to comment.