Revert "Read X-Real-Ip as the remote IP provided by the proxy."

This reverts commit fccb55f714.

Avoid exposing Authelia to more attacks by only keeping X-Forwarded-For.
pull/502/head
Clement Michaud 2019-12-11 08:29:32 +01:00
parent fccb55f714
commit 4dd6260ac8
2 changed files with 1 additions and 20 deletions

View File

@ -153,17 +153,12 @@ func (c *AutheliaCtx) SetJSONBody(value interface{}) error {
// RemoteIP return the remote IP taking X-Forwarded-For header into account if provided. // RemoteIP return the remote IP taking X-Forwarded-For header into account if provided.
func (c *AutheliaCtx) RemoteIP() net.IP { func (c *AutheliaCtx) RemoteIP() net.IP {
XRealIP := c.RequestCtx.Request.Header.Peek("X-Real-IP")
if XRealIP != nil {
return net.ParseIP(string(XRealIP))
}
XForwardedFor := c.RequestCtx.Request.Header.Peek("X-Forwarded-For") XForwardedFor := c.RequestCtx.Request.Header.Peek("X-Forwarded-For")
if XForwardedFor != nil { if XForwardedFor != nil {
ips := strings.Split(string(XForwardedFor), ",") ips := strings.Split(string(XForwardedFor), ",")
if len(ips) > 0 { if len(ips) > 0 {
return net.ParseIP(strings.TrimSpace(ips[0])) return net.ParseIP(strings.Trim(ips[0], " "))
} }
} }
return c.RequestCtx.RemoteIP() return c.RequestCtx.RemoteIP()

View File

@ -33,17 +33,3 @@ func TestShouldCallNextWithAutheliaCtx(t *testing.T) {
assert.True(t, nextCalled) assert.True(t, nextCalled)
} }
func TestShouldExtractXRealIPAsRemoteIP(t *testing.T) {
ctx := &fasthttp.RequestCtx{}
autheliaCtx := middlewares.AutheliaCtx{
RequestCtx: ctx,
}
assert.Equal(t, "0.0.0.0", autheliaCtx.RemoteIP().String())
ctx.Request.Header.Add("X-Forwarded-For", "10.0.0.1 , 192.168.0.1, 127.0.0.1")
assert.Equal(t, "10.0.0.1", autheliaCtx.RemoteIP().String())
ctx.Request.Header.Add("X-Real-Ip", "10.2.0.1")
assert.Equal(t, "10.2.0.1", autheliaCtx.RemoteIP().String())
}