Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

support multiple netmasks for trusted_upstream_proxies #3

Merged
merged 2 commits into from

1 participant

Ask Bjørn Hansen
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
2  devtools/gendocs.pl
View
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
#
use strict;
3  doc/hacking/todo.txt
View
@@ -70,9 +70,6 @@
* getter commands to retrieve the running config (GET?) or DUMP/SHOW/LIST
http://rt.livejournal.org/Ticket/Display.html?id=2783
-* add tests for 'trusted_upstream_proxies' and 'always_trusted'
- http://rt.livejournal.org/Ticket/Display.html?id=2784
-
* get rid of httpres vs. res distinction in HTTPHeaders
http://rt.livejournal.org/Ticket/Display.html?id=2785
9 doc/service-parameters.txt
View
@@ -75,6 +75,10 @@ For all services:
| | | |service that maps onto |
| | | |other services. |
|---------------------------+----+---------------------+---------------------------|
+| | | |Path to directory |
+|ssl_ca_path | | |containing certificates for|
+| | | |SSL. |
+|---------------------------+----+---------------------+---------------------------|
|ssl_cert_file | |certs/server-cert.pem|Path to certificate PEM |
| | | |file for SSL. |
|---------------------------+----+---------------------+---------------------------|
@@ -83,7 +87,10 @@ For all services:
|ssl_key_file | |certs/server-key.pem |Path to private key PEM |
| | | |file for SSL. |
|---------------------------+----+---------------------+---------------------------|
-| | | |A Net::Netmask filter (e.g.|
+|ssl_verify_mode |int |0 |SSL verification mode |
+|---------------------------+----+---------------------+---------------------------|
+| | | |A comma separated list of |
+| | | |Net::Netmask filters (e.g. |
| | | |10.0.0.0/24, see |
| | | |Net::Netmask) that |
|trusted_upstream_proxies | | |determines whether upstream|
2  lib/Perlbal/Manual/Internals.pod
View
@@ -775,7 +775,7 @@ Int, 0-100; % chance to take a standard priority request when we're in pressure
=item trusted_upstream_proxies
-L<Net::Netmask> object containing netmasks for trusted upstreams.
+Array of L<Net::Netmask> objects containing netmasks for trusted upstreams.
=item always_trusted
2  lib/Perlbal/Manual/ReverseProxy.pod
View
@@ -289,7 +289,7 @@ Default is C<certs/server-key.pem>.
=item B<trusted_upstream_proxies> = Net::Netmask filter
-A L<Net::Netmask> filter (e.g. 10.0.0.0/24, see L<Net::Netmask>) that determines whether upstream clients are trusted or not, where trusted means their X-Forwarded-For/etc headers are not munged.
+A comma separated list of L<Net::Netmask> filters (e.g. 10.0.0.0/24, see L<Net::Netmask>) that determines whether upstream clients are trusted or not, where trusted means their X-Forwarded-For/etc headers are not munged.
=item B<upload_status_listeners> = comma separated list of hosts
26 lib/Perlbal/Service.pm
View
@@ -375,7 +375,7 @@ our $tunables = {
},
'trusted_upstream_proxies' => {
- des => "A Net::Netmask filter (e.g. 10.0.0.0/24, see Net::Netmask) that determines whether upstream clients are trusted or not, where trusted means their X-Forwarded-For/etc headers are not munged.",
+ des => "A comma separated list of Net::Netmask filters (e.g. 10.0.0.0/24, see Net::Netmask) that determines whether upstream clients are trusted or not, where trusted means their X-Forwarded-For/etc headers are not munged.",
check_role => "*",
check_type => sub {
my ($self, $val, $errref) = @_;
@@ -384,9 +384,23 @@ our $tunables = {
return 0;
}
- return 1 if $self->{trusted_upstream_proxies} = Net::Netmask->new2($val);
- $$errref = "Error defining trusted upstream proxies: " . Net::Netmask::errstr();
- return 0;
+ my @val = split /\s*,\s*/, $val;
+ my @trusted_upstreams = ();
+
+ for my $ip (@val) {
+ my $net = Net::Netmask->new2($ip);
+ unless ($net) {
+ $$errref = "Error defining trusted upstream proxies: " . Net::Netmask::errstr();
+ return 0;
+ }
+ push @trusted_upstreams, $net;
+ }
+
+ unless (@trusted_upstreams) {
+ $$errref = "Error defining trusted upstream proxies: None found";
+ return 0;
+ }
+ $self->{trusted_upstream_proxies} = \@trusted_upstreams;
},
setter => sub {
my ($self, $val, $set, $mc) = @_;
@@ -1449,7 +1463,9 @@ sub trusted_ip {
return 0 unless $tmap;
# try to use it as a Net::Netmask object
- return 1 if eval { $tmap->match($ip); };
+ for my $tmap (@{ $self->{trusted_upstream_proxies} }) {
+ return 1 if eval { $tmap->match($ip); };
+ }
return 0;
}
5 t/90-accesscontrol.t
View
@@ -72,6 +72,11 @@ ok(manage("SET trusted_upstream_proxies = 127.0.0.1"), "Turning trusted upstream
ok(!check(), "Denied");
ok(check(["X-Forwarded-For" => "1.1.1.1"]), "Allowed with XFF header");
+ok(manage("SET trusted_upstream_proxies = 10.0.0.0/24, 127.0.0.1"), "Turning trusted upstream proxies on for multiple netmasks");
+
+ok(!check(), "Denied");
+ok(check(["X-Forwarded-For" => "1.1.1.1"]), "Allowed with XFF header");
+
ok(manage("SET test.AccessControl.use_observed_ip = 0"), "Turning off observed IP");
ok(!check(["X-Forwarded-For" => "1.1.1.1"]), "Denied with XFF header");
Something went wrong with that request. Please try again.