Chris Lu
2 months ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with
2 additions and
34 deletions
-
weed/security/guard.go
-
weed/server/master_server.go
|
|
@ -77,34 +77,8 @@ func (g *Guard) WhiteList(f http.HandlerFunc) http.HandlerFunc { |
|
|
|
} |
|
|
|
|
|
|
|
func GetActualRemoteHost(r *http.Request) string { |
|
|
|
// Check X-Forwarded-For headers first (may contain comma-separated IPs)
|
|
|
|
// HTTP_X_FORWARDED_FOR is used for SeaweedFS internal communication when master proxies to leader
|
|
|
|
host := r.Header.Get("HTTP_X_FORWARDED_FOR") |
|
|
|
if host == "" { |
|
|
|
host = r.Header.Get("X-FORWARDED-FOR") |
|
|
|
} |
|
|
|
if host != "" { |
|
|
|
for _, ipStr := range strings.Split(host, ",") { |
|
|
|
host = strings.TrimSpace(ipStr) |
|
|
|
if host != "" { |
|
|
|
break |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
// If no valid IP from X-Forwarded-For, try X-Real-IP (single IP)
|
|
|
|
if host == "" { |
|
|
|
host = r.Header.Get("X-Real-IP") |
|
|
|
} |
|
|
|
|
|
|
|
// If we got a host from headers, use it (can be IP or hostname)
|
|
|
|
if host != "" { |
|
|
|
if host = strings.TrimSpace(host); host != "" { |
|
|
|
return host |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
// If no host from headers, extract from RemoteAddr
|
|
|
|
// For security reasons, only use RemoteAddr to determine the client's IP address.
|
|
|
|
// Do not trust headers like X-Forwarded-For, as they can be easily spoofed by clients.
|
|
|
|
host, _, err := net.SplitHostPort(r.RemoteAddr) |
|
|
|
if err == nil { |
|
|
|
return host |
|
|
|
|
|
@ -257,12 +257,6 @@ func (ms *MasterServer) proxyToLeader(f http.HandlerFunc) http.HandlerFunc { |
|
|
|
// proxy to leader
|
|
|
|
glog.V(4).Infoln("proxying to leader", raftServerLeader) |
|
|
|
proxy := httputil.NewSingleHostReverseProxy(targetUrl) |
|
|
|
director := proxy.Director |
|
|
|
proxy.Director = func(req *http.Request) { |
|
|
|
actualHost := security.GetActualRemoteHost(req) |
|
|
|
req.Header.Set("HTTP_X_FORWARDED_FOR", actualHost) |
|
|
|
director(req) |
|
|
|
} |
|
|
|
proxy.Transport = util_http.GetGlobalHttpClient().GetClientTransport() |
|
|
|
proxy.ServeHTTP(w, r) |
|
|
|
} |
|
|
|