Proxy endpoint was checking real client ip instead of proxy ip

for validating PROXY_AUTH_WHITELIST
main
Dimitri Huisman 2 years ago
parent 1d9791ceaa
commit 25b9db4b00
No known key found for this signature in database

@ -92,9 +92,10 @@ def _has_usable_redirect():
https://mailu.io/master/configuration.html#header-authentication-using-an-external-proxy https://mailu.io/master/configuration.html#header-authentication-using-an-external-proxy
""" """
def _proxy(): def _proxy():
ip = ipaddress.ip_address(flask.request.remote_addr) proxy_ip = flask.request.headers.get('X-Forwarded-By')
ip = ipaddress.ip_address(proxy_ip)
if not any(ip in cidr for cidr in app.config['PROXY_AUTH_WHITELIST']): if not any(ip in cidr for cidr in app.config['PROXY_AUTH_WHITELIST']):
return flask.abort(500, '%s is not on PROXY_AUTH_WHITELIST' % flask.request.remote_addr) return flask.abort(500, '%s is not on PROXY_AUTH_WHITELIST' % proxy_ip)
email = flask.request.headers.get(app.config['PROXY_AUTH_HEADER']) email = flask.request.headers.get(app.config['PROXY_AUTH_HEADER'])
if not email: if not email:

@ -231,6 +231,7 @@ http {
auth_request /internal/auth/admin; auth_request /internal/auth/admin;
proxy_set_header X-Real-IP ""; proxy_set_header X-Real-IP "";
proxy_set_header X-Forwarded-For ""; proxy_set_header X-Forwarded-For "";
proxe_set_header X-Forwarded-By: "";
proxy_pass http://$antispam; proxy_pass http://$antispam;
error_page 403 @sso_login; error_page 403 @sso_login;
} }

@ -7,6 +7,7 @@ proxy_hide_header CF-Connecting-IP;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
{% if REAL_IP_HEADER and REAL_IP_FROM %} {% if REAL_IP_HEADER and REAL_IP_FROM %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-By $realip_remote_addr;
{% else %} {% else %}
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
{% endif %} {% endif %}

@ -0,0 +1,3 @@
Proxy authentication was using the real client ip instead of the proxy
IP for checking the PROXY_AUTH_WHITELIST.
Loading…
Cancel
Save