You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
115 lines
4.1 KiB
115 lines
4.1 KiB
7 years ago
|
/*
|
||
|
* Minio Cloud Storage, (C) 2018 Minio, Inc.
|
||
|
*
|
||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
* you may not use this file except in compliance with the License.
|
||
|
* You may obtain a copy of the License at
|
||
|
*
|
||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||
|
*
|
||
|
* Unless required by applicable law or agreed to in writing, software
|
||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
* See the License for the specific language governing permissions and
|
||
|
* limitations under the License.
|
||
|
*/
|
||
|
|
||
|
package handlers
|
||
|
|
||
|
import (
|
||
|
"net"
|
||
|
"net/http"
|
||
|
"regexp"
|
||
|
"strings"
|
||
|
)
|
||
|
|
||
|
var (
|
||
|
// De-facto standard header keys.
|
||
|
xForwardedFor = http.CanonicalHeaderKey("X-Forwarded-For")
|
||
|
xForwardedProto = http.CanonicalHeaderKey("X-Forwarded-Proto")
|
||
|
xForwardedScheme = http.CanonicalHeaderKey("X-Forwarded-Scheme")
|
||
|
xRealIP = http.CanonicalHeaderKey("X-Real-IP")
|
||
|
)
|
||
|
|
||
|
var (
|
||
|
// RFC7239 defines a new "Forwarded: " header designed to replace the
|
||
|
// existing use of X-Forwarded-* headers.
|
||
|
// e.g. Forwarded: for=192.0.2.60;proto=https;by=203.0.113.43
|
||
|
forwarded = http.CanonicalHeaderKey("Forwarded")
|
||
|
// Allows for a sub-match of the first value after 'for=' to the next
|
||
|
// comma, semi-colon or space. The match is case-insensitive.
|
||
|
forRegex = regexp.MustCompile(`(?i)(?:for=)([^(;|,| )]+)(.*)`)
|
||
|
// Allows for a sub-match for the first instance of scheme (http|https)
|
||
|
// prefixed by 'proto='. The match is case-insensitive.
|
||
|
protoRegex = regexp.MustCompile(`(?i)^(;|,| )+(?:proto=)(https|http)`)
|
||
|
)
|
||
|
|
||
|
// GetSourceScheme retrieves the scheme from the X-Forwarded-Proto and RFC7239
|
||
|
// Forwarded headers (in that order).
|
||
|
func GetSourceScheme(r *http.Request) string {
|
||
|
var scheme string
|
||
|
|
||
|
// Retrieve the scheme from X-Forwarded-Proto.
|
||
|
if proto := r.Header.Get(xForwardedProto); proto != "" {
|
||
|
scheme = strings.ToLower(proto)
|
||
|
} else if proto = r.Header.Get(xForwardedScheme); proto != "" {
|
||
|
scheme = strings.ToLower(proto)
|
||
|
} else if proto := r.Header.Get(forwarded); proto != "" {
|
||
|
// match should contain at least two elements if the protocol was
|
||
|
// specified in the Forwarded header. The first element will always be
|
||
|
// the 'for=', which we ignore, subsequently we proceed to look for
|
||
|
// 'proto=' which should precede right after `for=` if not
|
||
|
// we simply ignore the values and return empty. This is in line
|
||
|
// with the approach we took for returning first ip from multiple
|
||
|
// params.
|
||
|
if match := forRegex.FindStringSubmatch(proto); len(match) > 1 {
|
||
|
if match = protoRegex.FindStringSubmatch(match[2]); len(match) > 1 {
|
||
|
scheme = strings.ToLower(match[2])
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
return scheme
|
||
|
}
|
||
|
|
||
|
// GetSourceIP retrieves the IP from the X-Forwarded-For, X-Real-IP and RFC7239
|
||
|
// Forwarded headers (in that order), falls back to r.RemoteAddr when all
|
||
|
// else fails.
|
||
|
func GetSourceIP(r *http.Request) string {
|
||
|
var addr string
|
||
|
|
||
|
if fwd := r.Header.Get(xForwardedFor); fwd != "" {
|
||
|
// Only grab the first (client) address. Note that '192.168.0.1,
|
||
|
// 10.1.1.1' is a valid key for X-Forwarded-For where addresses after
|
||
|
// the first may represent forwarding proxies earlier in the chain.
|
||
|
s := strings.Index(fwd, ", ")
|
||
|
if s == -1 {
|
||
|
s = len(fwd)
|
||
|
}
|
||
|
addr = fwd[:s]
|
||
|
} else if fwd := r.Header.Get(xRealIP); fwd != "" {
|
||
|
// X-Real-IP should only contain one IP address (the client making the
|
||
|
// request).
|
||
|
addr = fwd
|
||
|
} else if fwd := r.Header.Get(forwarded); fwd != "" {
|
||
|
// match should contain at least two elements if the protocol was
|
||
|
// specified in the Forwarded header. The first element will always be
|
||
|
// the 'for=' capture, which we ignore. In the case of multiple IP
|
||
|
// addresses (for=8.8.8.8, 8.8.4.4, 172.16.1.20 is valid) we only
|
||
|
// extract the first, which should be the client IP.
|
||
|
if match := forRegex.FindStringSubmatch(fwd); len(match) > 1 {
|
||
|
// IPv6 addresses in Forwarded headers are quoted-strings. We strip
|
||
|
// these quotes.
|
||
|
addr = strings.Trim(match[1], `"`)
|
||
|
}
|
||
|
}
|
||
|
|
||
|
if addr != "" {
|
||
|
return addr
|
||
|
}
|
||
|
|
||
|
// Default to remote address if headers not set.
|
||
|
addr, _, _ = net.SplitHostPort(r.RemoteAddr)
|
||
|
return addr
|
||
|
}
|