Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support specifying IPv6 proxies in CIDR notation #32615

Merged
merged 1 commit into from
Aug 4, 2022
Merged

Support specifying IPv6 proxies in CIDR notation #32615

merged 1 commit into from
Aug 4, 2022

Conversation

sleiner
Copy link
Contributor

@sleiner sleiner commented May 26, 2022

Previously, it was not possible to use CIDR notation for IPv6 proxies in the trusted_proxies parameter of config.php. This patch adds support for that, mainly by relying on inet_pton and a custom bitwise string comparison function instead of ip2long (which does not work for IPv6 because of its 128 bit address space).

It is worth noting that the bitwise comparison could be implemented a bit more straightforward using GMP, but since Nextcloud does not currently require GMP to be available, this alternative implementation was chosen instead.

The patch fixes issue #32253.

@sleiner sleiner force-pushed the feature/ipv6-cidr-for-trusted-proxies branch 2 times, most recently from 9fa14ca to bbe19d6 Compare May 27, 2022 14:21
@kesselb
Copy link
Contributor

kesselb commented May 27, 2022

Hey @sleiner 👋,

thank you very much for sending a pull request 👍

We had a pull request a while ago to add IPv6 CIDR support to trusted proxies. Maybe some of the tests and/or discussion are helpful for this pr: #12535

I am unsure about this pr. The way we implement the logic looks quite complex compared to https://github.com/symfony/http-foundation/blob/master/IpUtils.php. There is only a little chance that his logic (is ipv4 or is ipv6) changes in the near future (e.g. add ipvX).

Your pr looks good to me. Yet I have the same feeling as for the other pr 🙈

I believe we should pull in/copy IpUtils (including tests) from Symfony and adapt our code to it and not reinvent the wheel. Let me request some reviews to get more opinions on this one.

@kesselb kesselb requested review from nickvergessen, CarlSchwan, a team, PVince81 and skjnldsv and removed request for a team May 27, 2022 14:34
@kesselb kesselb added enhancement 3. to review Waiting for reviews labels May 27, 2022
@sleiner
Copy link
Contributor Author

sleiner commented May 27, 2022
edited
Loading

Hi @kesselb,

I had not seen #12535 before, thanks for pointing me to that! 😊 After taking a brief look at it, here are my thoughts:

  • The test cases for the Request class are basically the same as far as I see (except for some some of the concrete IP addresses and the extra constructor parameters introduced in Implementing trusted_proxies CIDR notation capability for IPv6 #12535). IMO, that's a a good sign.
  • Compared to Implementing trusted_proxies CIDR notation capability for IPv6 #12535, this implementation is much simpler:
    • No new classes, just two more helper methods
    • No custom-built detection of IPv4 vs. IPv6 addresses, just the use of inet_pton
    • No regexes validating IP addresses, just the use of inet_pton
  • Still, there are two places were this patch implements custom logic:
    • Splitting a string possibly containing a CIDR representation up into the net address and the prefix length: This just splits the string by the / character if there is one (same as Symfony's IpUtils).
    • Detecting whether two packed strings have the same prefix with a variable length of bits: Since I did not want to rely on GMP being available, this involves some custom fiddling with bits. Symfony's IpUtils do the same for IPv6, although their implementation differs quite a bit from mine.
  • Compared to my implementation, the Symfony one has a few advantages:
    • It has been used in production before.
    • It may perform better: For my implementation, I can say that I have not benchmarked it. In any case, the symfony implementation uses a cache while mine does not. This may be beneficial.

In general, I have no strong attachment to the specific code of this patch, I mainly would like to use the feature ;-) I have never contributed to Nextcloud (or written any PHP, for that matter) before so I had no idea what your policies are concerning pulling in code from external libraries. So just writing the code myself seemed like the quickest way to me. So let me know what you and your colleagues consider the best way forward here 👍🏻

@sleiner sleiner force-pushed the feature/ipv6-cidr-for-trusted-proxies branch from bbe19d6 to 74c5cff Compare May 27, 2022 15:57
@sleiner
Copy link
Contributor Author

sleiner commented Jun 10, 2022

@kesselb could you please approve running the workflows again? 😅

@sleiner
Copy link
Contributor Author

sleiner commented Jul 5, 2022

@kesselb Can you give an ETA for the reviews?

skjnldsv
skjnldsv approved these changes Jul 5, 2022
View reviewed changes
Copy link
Member

@skjnldsv skjnldsv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good

@come-nc come-nc mentioned this pull request Jul 12, 2022
Merged
@come-nc
Copy link
Contributor

come-nc commented Jul 12, 2022

@sleiner Hello, in the end we added symfony/http-foundation as a dependency because we needed the same functionnality in other parts of the code and felt it was better to rely on symfony rather than maintain our own copy.
Could you refactor this PR to use Symfony\Component\HttpFoundation\IpUtils instead? (rebase on master first)

I could do that in an other PR but I think your tests can work the same and this is valuable.

@sleiner
Copy link
Contributor Author

sleiner commented Jul 15, 2022

Sure thing 👍🏻 (though it will probably take a few days before I'll get to it)

@sleiner sleiner force-pushed the feature/ipv6-cidr-for-trusted-proxies branch from 74c5cff to abece9b Compare July 23, 2022 21:30
@sleiner
Copy link
Contributor Author

sleiner commented Jul 23, 2022

@come-nc done 😊

@nickvergessen nickvergessen added this to the Nextcloud 25 milestone Jul 26, 2022
@come-nc
Copy link
Contributor

come-nc commented Aug 2, 2022

@sleiner Can you rebase on master to retrigger CI?
It feels like the failures are unrelated.

@sleiner
Support specifying IPv6 proxies in CIDR notation
09362ea 
Previously, it was not possible to use CIDR notation for IPv6 proxies
in the trusted_proxies parameter of config.php [1]. This patch adds
support for that.

[1]: https://docs.nextcloud.com/server/24/admin_manual/configuration_server/reverse_proxy_configuration.html#defining-trusted-proxies

Signed-off-by: Simon Leiner <simon@leiner.me>
@sleiner sleiner force-pushed the feature/ipv6-cidr-for-trusted-proxies branch from abece9b to 09362ea Compare August 2, 2022 15:37
@sleiner
Copy link
Contributor Author

sleiner commented Aug 2, 2022

@come-nc done 👍🏻

@sleiner
Copy link
Contributor Author

sleiner commented Aug 2, 2022

we still have some failing runs :/

  • The failing performance test seems like a general issue with pull requests from forked repositories to me.
  • The drone build fails on a timeout (for a notification in the files app), so this is probably a flaky test?

@come-nc come-nc merged commit f30d23b into nextcloud:master Aug 4, 2022
@welcome
Copy link

welcome bot commented Aug 4, 2022

Thanks for your first pull request and welcome to the community! Feel free to keep them coming! If you are looking for issues to tackle then have a look at this selection: https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22

@come-nc
Copy link
Contributor

come-nc commented Aug 4, 2022

we still have some failing runs :/

  • The failing performance test seems like a general issue with pull requests from forked repositories to me.
  • The drone build fails on a timeout (for a notification in the files app), so this is probably a flaky test?

Yeah seems unrelated, I merged it.

@skjnldsv skjnldsv mentioned this pull request Aug 11, 2022
Merged
kesselb added a commit that referenced this pull request Jan 3, 2023
@kesselb
docs: trusted_proxies support IPv6 ranges
a1fef7b 
Support for IPv6 ranges was added by #32615

Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
@kesselb kesselb mentioned this pull request Jan 3, 2023
Merged
4 tasks
kesselb added a commit that referenced this pull request Jan 3, 2023
@kesselb
docs: trusted_proxies support IPv6 ranges
af6dcbd 
Support for IPv6 ranges was added by #32615

Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
kesselb added a commit that referenced this pull request Jan 3, 2023
@kesselb
docs: trusted_proxies support IPv6 ranges
464b3b0 
Support for IPv6 ranges was added by #32615

Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
@kesselb kesselb mentioned this pull request Jan 3, 2023
Merged
4 tasks
akhil1508 pushed a commit to e-foundation/server that referenced this pull request Sep 28, 2023
@kesselb @akhil1508
docs: trusted_proxies support IPv6 ranges
7559a41 
Support for IPv6 ranges was added by nextcloud#32615

Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
Signed-off-by: Akhil <akhil@e.email>
@jivanpal jivanpal mentioned this pull request Oct 19, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skjnldsv skjnldsv skjnldsv approved these changes

@come-nc come-nc come-nc approved these changes

@nickvergessen nickvergessen Awaiting requested review from nickvergessen

@CarlSchwan CarlSchwan Awaiting requested review from CarlSchwan

@PVince81 PVince81 Awaiting requested review from PVince81

Assignees
No one assigned
Labels
3. to review Waiting for reviews enhancement
Projects
None yet
Milestone
Nextcloud 25
Development

Successfully merging this pull request may close these issues.
5 participants
@sleiner @kesselb @come-nc @skjnldsv @nickvergessen