httpd/webdav: add a list of hosts allowed to send proxy headers

X-Forwarded-For, X-Real-IP and X-Forwarded-Proto headers will be ignored for hosts not included in this list. This is a backward incompatible change, before the proxy headers were always used
2025-12-07 14:50:55 +03:00 · 2021-05-11 06:54:06 +02:00
parent f1b998ce16
commit c8f7fc9bc9
25 changed files with 669 additions and 383 deletions
--- a/webdavd/webdavd.go
+++ b/webdavd/webdavd.go
@@ -3,6 +3,7 @@ package webdavd

 import (
 	"fmt"
+	"net"
 	"path/filepath"

 	"github.com/go-chi/chi/v5/middleware"
@@ -90,6 +91,18 @@ type Binding struct {
 	// Prefix for WebDAV resources, if empty WebDAV resources will be available at the
 	// root ("/") URI. If defined it must be an absolute URI.
 	Prefix string `json:"prefix" mapstructure:"prefix"`
+	// List of IP addresses and IP ranges allowed to set X-Forwarded-For/X-Real-IP headers.
+	ProxyAllowed     []string `json:"proxy_allowed" mapstructure:"proxy_allowed"`
+	allowHeadersFrom []func(net.IP) bool
+}
+
+func (b *Binding) parseAllowedProxy() error {
+	allowedFuncs, err := utils.ParseAllowedIPAndRanges(b.ProxyAllowed)
+	if err != nil {
+		return err
+	}
+	b.allowHeadersFrom = allowedFuncs
+	return nil
 }

 func (b *Binding) isMutualTLSEnabled() bool {
@@ -191,6 +204,9 @@ func (c *Configuration) Initialize(configDir string) error {
 		if !binding.IsValid() {
 			continue
 		}
+		if err := binding.parseAllowedProxy(); err != nil {
+			return err
+		}

 		go func(binding Binding) {
 			server := webDavServer{