add trust proxy env config

2023-10-23 20:54:15 +10:00 · 2023-10-23 20:54:15 +10:00 · 0cdf8fe7fc
parent bc6f8921fb
commit 0cdf8fe7fc
2 changed files with 33 additions and 1 deletions
--- a/filed/.env.example
+++ b/filed/.env.example
@ -1,6 +1,11 @@
 APP_LOGGING=true
 APP_HOST=0.0.0.0:80

+# The IP to trust X-Forwarded-For header
+# To serve to WAN directly, use 127.0.0.1
+# You can also use domains!
+PROXY_IP=127.0.0.1
+
 REDIS_PASS=bfile
 REDIS_HOST=redis
 REDIS_PORT=6379
--- a/filed/src/env.rs
+++ b/filed/src/env.rs
@ -3,7 +3,7 @@
 This file provides the `loadenv` function that will do just that.
 */

-use std::{env::var, net::SocketAddr, path::Path, fs};
+use std::{env::var, net::{SocketAddr, ToSocketAddrs, IpAddr}, path::Path, fs};

 pub const DEFAULT_CONFIG: &'static str = include_str!("../config/filed.toml.example");

@ -19,6 +19,7 @@ pub struct Redis {
 pub struct Env {
    pub logging: bool,
    pub listen: SocketAddr,
+    pub proxy_addr: IpAddr,
    pub redis: Redis,
    pub filedir: String,
    pub instanceurl: String,
@ -40,6 +41,32 @@ pub fn loadenv() -> Result<Env, Box<dyn std::error::Error>> {
        Env {
            logging: get_var::<&str, String>("APP_LOGGING")?.to_lowercase() == "true",
            listen: get_var::<&str, String>("APP_HOST")?.parse::<SocketAddr>().unwrap(),
+            proxy_addr: {
+                let env_var = get_var::<&str, String>("PROXY_IP")?;
+
+                let ip = env_var.parse::<IpAddr>();
+                if let Ok(ip) = ip {
+                    if ip == IpAddr::from([127, 0, 0, 1]) {
+                        log::warn!("Proxy address is 127.0.0.1. No proxy will be trusted")
+                    }
+                    if ip == IpAddr::from([0, 0, 0, 0]) {
+                        log::warn!("Proxy address is 0.0.0.0. All proxies will be trusted.");
+                        #[cfg(not(debug_assertions))]
+                            log::warn!("The warning above will not work well with production mode! Please consider setting the proxy address to a proper IP.")
+                    }
+                    ip
+                } else {
+                    let sock = env_var.to_socket_addrs();
+                    if let Err(err) = sock {
+                        return Err(format!("Can't resolve {env_var}: {:?}", err).into());
+                    }
+                    let mut addrs = sock.unwrap();
+                    if addrs.len() == 0 {
+                        return Err(format!("{env_var} resolved to nothing").into());
+                    }
+                    addrs.next().unwrap().ip()
+                }
+            },
            redis: Redis {
                pass: get_var("REDIS_PASS")?,
                host: get_var("REDIS_HOST")?,