Merge pull request #624 from LaurenceJJones/trusted-proxies

feat: Trusted Proxies
gotify · Feb 10, 2024 · 46281d6 · 46281d6
2 parents d32d131 + 2953d75
commit 46281d6
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 0 deletions.
diff --git a/config.example.yml b/config.example.yml
@@ -23,6 +23,10 @@ server:
 
   responseheaders: # response headers are added to every response (default: none)
 #    X-Custom-Header: "custom value"
+#
+  trustedproxies: # IPs or IP ranges of trusted proxies. Used to obtain the remote ip via the X-Forwarded-For header. (configure 127.0.0.1 to trust sockets)
+#   - 127.0.0.1/32
+#   - ::1
 
   cors: # Sets cors headers only when needed and provides support for multiple allowed origins. Overrides Access-Control-* Headers in response headers.
     alloworigins:

diff --git a/config/config.go b/config/config.go
@@ -39,6 +39,8 @@ type Configuration struct {
 			AllowMethods []string
 			AllowHeaders []string
 		}
+
+		TrustedProxies []string
 	}
 	Database struct {
 		Dialect    string `default:"sqlite3"`

diff --git a/router/router.go b/router/router.go
@@ -27,6 +27,17 @@ import (
 func Create(db *database.GormDatabase, vInfo *model.VersionInfo, conf *config.Configuration) (*gin.Engine, func()) {
 	g := gin.New()
 
+	g.RemoteIPHeaders = []string{"X-Forwarded-For"}
+	g.SetTrustedProxies(conf.Server.TrustedProxies)
+	g.ForwardedByClientIP = true
+
+	g.Use(func(ctx *gin.Context) {
+		// Map sockets "@" to 127.0.0.1, because gin-gonic can only trust IPs.
+		if ctx.Request.RemoteAddr == "@" {
+			ctx.Request.RemoteAddr = "127.0.0.1:65535"
+		}
+	})
+
 	g.Use(gin.LoggerWithFormatter(logFormatter), gin.Recovery(), gerror.Handler(), location.Default())
 	g.NoRoute(gerror.NotFound())