Add server.real_ip_header

Closes cesanta#83
kejace · Apr 6, 2016 · 3b097dc · 3b097dc
1 parent 3110364
commit 3b097dc
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 14 deletions.
diff --git a/auth_server/server/config.go b/auth_server/server/config.go
@@ -37,12 +37,13 @@ type Config struct {
 	GoogleAuth *authn.GoogleAuthConfig        `yaml:"google_auth,omitempty"`
 	LDAPAuth   *authn.LDAPAuthConfig          `yaml:"ldap_auth,omitempty"`
 	MongoAuth  *authn.MongoAuthConfig         `yaml:"mongo_auth,omitempty"`
-	ACL        authz.ACL                      `yaml:"acl"`
+	ACL        authz.ACL                      `yaml:"acl,omitempty"`
 	ACLMongo   *authz.ACLMongoConfig          `yaml:"acl_mongo,omitempty"`
 }
 
 type ServerConfig struct {
 	ListenAddress string `yaml:"addr,omitempty"`
+	RealIPHeader  string `yaml:"real_ip_header,omitempty"`
 	CertFile      string `yaml:"certificate,omitempty"`
 	KeyFile       string `yaml:"key,omitempty"`
 

diff --git a/auth_server/server/server.go b/auth_server/server/server.go
@@ -88,13 +88,14 @@ func NewAuthServer(c *Config) (*AuthServer, error) {
 }
 
 type authRequest struct {
-	RemoteAddr string
-	RemoteIP   net.IP
-	User       string
-	Password   authn.PasswordString
-	Account    string
-	Service    string
-	Scopes     []authScope
+	RemoteConnAddr string
+	RemoteAddr     string
+	RemoteIP       net.IP
+	User           string
+	Password       authn.PasswordString
+	Account        string
+	Service        string
+	Scopes         []authScope
 }
 
 type authScope struct {
@@ -114,10 +115,9 @@ func (ar authRequest) String() string {
 
 func parseRemoteAddr(ra string) net.IP {
 	colonIndex := strings.LastIndex(ra, ":")
-	if colonIndex == -1 {
-		return nil
+	if colonIndex > 0 && ra[colonIndex-1] >= 0x30 && ra[colonIndex-1] <= 0x39 {
+		ra = ra[:colonIndex]
 	}
-	ra = ra[:colonIndex]
 	if ra[0] == '[' && ra[len(ra)-1] == ']' { // IPv6
 		ra = ra[1 : len(ra)-1]
 	}
@@ -126,10 +126,18 @@ func parseRemoteAddr(ra string) net.IP {
 }
 
 func (as *AuthServer) ParseRequest(req *http.Request) (*authRequest, error) {
-	ar := &authRequest{RemoteAddr: req.RemoteAddr}
-	ar.RemoteIP = parseRemoteAddr(req.RemoteAddr)
+	ar := &authRequest{RemoteConnAddr: req.RemoteAddr, RemoteAddr: req.RemoteAddr}
+	if as.config.Server.RealIPHeader != "" {
+		hv := req.Header.Get(as.config.Server.RealIPHeader)
+		ar.RemoteAddr = strings.TrimSpace(strings.Split(hv, ",")[0])
+		glog.V(3).Infof("Conn ip %s, %s: %s, addr: %s", ar.RemoteAddr, as.config.Server.RealIPHeader, hv, ar.RemoteAddr)
+		if ar.RemoteAddr == "" {
+			return nil, fmt.Errorf("client address not provided")
+		}
+	}
+	ar.RemoteIP = parseRemoteAddr(ar.RemoteAddr)
 	if ar.RemoteIP == nil {
-		return nil, fmt.Errorf("unable to parse remote addr %s", req.RemoteAddr)
+		return nil, fmt.Errorf("unable to parse remote addr %s", ar.RemoteAddr)
 	}
 	user, password, haveBasicAuth := req.BasicAuth()
 	if haveBasicAuth {

diff --git a/examples/reference.yml b/examples/reference.yml
@@ -15,6 +15,10 @@ server:  # Server settings.
   # TLS certificate and key.
   certificate: "/path/to/server.pem"
   key: "/path/to/server.key"
+  # Take client's address from the specified HTTP header instead of connection.
+  # May be useful if the server is behind a proxy or load balancer.
+  # If configured, this header must be present, requests without it will be rejected.
+  # real_ip_header: "X-Forwarded-For"
 
 token:  # Settings for the tokens.
   issuer: "Acme auth server"  # Must match issuer in the Registry config.