Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add trusted whitelist proxy protocol #2234

Merged
merged 3 commits into from
Oct 10, 2017
Merged

Add trusted whitelist proxy protocol #2234

merged 3 commits into from
Oct 10, 2017

Conversation

emilevauge
Copy link
Member

@emilevauge emilevauge commented Oct 9, 2017
edited
Loading

Description

This PR adds mandatory trusted IP ranges declaration while enabling proxy protocol.
⚠️ This change will break any 1.4.0-rcx config with proxy protocol enabled.
You need to update your config from:

[entryPoints]
  [entryPoints.http]
  address = ":80"
  proxyprotocol = true

to

[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.http.proxyProtocol]
    trustedIPs = ["10.5.0.2", "127.0.0.1/8"]

with 10.5.0.2 being the IP address of your front load balancer.

I'm working on adding an integration test.

@emilevauge emilevauge added this to the 1.4 milestone Oct 9, 2017
@emilevauge emilevauge force-pushed the add-trust-whitelist-proxy-protocol branch 2 times, most recently from 7ab6ed0 to 264ef16 Compare October 9, 2017 22:04
ldez
ldez suggested changes Oct 10, 2017
View reviewed changes
middlewares/ip_whitelister.go Outdated
}

func (whitelister *IPWhitelister) handle(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
remoteIP, err := ipFromRemoteAddr(r.RemoteAddr)
func (whiteLister *IPWhiteLister) handle(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

func(whiteLister *IPWhiteLister) -> func(wl *IPWhiteLister)

middlewares/ip_whitelister.go Outdated
reject(w)
}

func (whiteLister *IPWhiteLister) ServeHTTP(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

func(whiteLister *IPWhiteLister) -> func(wl *IPWhiteLister)

server/server.go Outdated
@@ -19,6 +19,7 @@ import (
"sync"
"time"

"fmt"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you sort imports?

configuration/configuration.go Outdated

var proxyProtocol *ProxyProtocol
if len(result["ProxyProtocol"]) > 0 {
trustedIPs := []string{}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems unnecessary

server/server.go Outdated
if !ok {
return false, fmt.Errorf("Type error %v", addr)
}
contains, err := IPs.ContainsIP(ip.IP)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can replace this block:

contains, err := IPs.ContainsIP(ip.IP)
if err != nil {
	return false, err
}
if contains {
	return true, nil
}
return false, nil

by:

return IPs.ContainsIP(ip.IP)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one is gold 😂

configuration/configuration_test.go Outdated
@@ -142,7 +142,7 @@ func TestEntryPoints_Set(t *testing.T) {
}{
{
name: "all parameters",
expression: "Name:foo Address:bar TLS:goo,gii TLS CA:car Redirect.EntryPoint:RedirectEntryPoint Redirect.Regex:RedirectRegex Redirect.Replacement:RedirectReplacement Compress:true WhiteListSourceRange:Range ProxyProtocol:true",
expression: "Name:foo Address:bar TLS:goo,gii TLS CA:car Redirect.EntryPoint:RedirectEntryPoint Redirect.Regex:RedirectRegex Redirect.Replacement:RedirectReplacement Compress:true WhiteListSourceRange:Range ProxyProtocol:192.168.0.1",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of ProxyProtocol:192.168.0.1 I think we can use ProxyProtocol.TrustedIPs:192.168.0.1

@emilevauge emilevauge force-pushed the add-trust-whitelist-proxy-protocol branch 2 times, most recently from 510e6b8 to 13869a1 Compare October 10, 2017 11:03
juliens
juliens approved these changes Oct 10, 2017
View reviewed changes
Copy link
Member

@juliens juliens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 😉

@ldez ldez force-pushed the add-trust-whitelist-proxy-protocol branch from 13869a1 to 143dbd2 Compare October 10, 2017 12:24
ldez
ldez approved these changes Oct 10, 2017
View reviewed changes
Copy link
Contributor

@ldez ldez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

nmengin
nmengin approved these changes Oct 10, 2017
View reviewed changes
Copy link
Contributor

@nmengin nmengin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👏

@traefiker traefiker force-pushed the add-trust-whitelist-proxy-protocol branch from 143dbd2 to 21df2dc Compare October 10, 2017 12:40
@traefiker traefiker merged commit 6287a3d into traefik:v1.4 Oct 10, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juliens juliens juliens approved these changes

@ldez ldez ldez approved these changes

@nmengin nmengin nmengin approved these changes

Assignees
No one assigned
Labels
area/middleware kind/enhancement a new or improved feature. size/M
Projects
None yet
Milestone
1.4
Development

Successfully merging this pull request may close these issues.
5 participants
@emilevauge @juliens @ldez @nmengin @traefiker