Add option to trust remote IP from proxy

2026-05-26 16:10:29 +01:00 · 2014-01-17 09:28:21 -08:00
parent 82c6f93bfc
commit 2969f2f207
3 changed files with 15 additions and 4 deletions
--- a/miniserv.pl
+++ b/miniserv.pl
@@ -1388,12 +1388,19 @@ while(1) {
 		&http_error(400, "Bad Header $headline");
 		}
 	}
-if ($header{'x-forwarded-for'}) {
-	$loghost = $header{'x-forwarded-for'};
+
+# If a remote IP is given in a header (such as via a proxy), only use it
+# for logging unless trust_real_ip is set
+local $headerhost = $header{'x-forwarded-for'} ||
+		    $header{'x-real-ip'};
+if ($config{'trust_real_ip'}) {
+	$acpthost = $headerhost || $acpthost;
+	$loghost = $acpthost;
 	}
-elsif ($header{'x-real-ip'}) {
-	$loghost = $header{'x-real-ip'};
+else {
+	$loghost = $headerhost || $loghost;
 	}
+
 if (defined($header{'host'})) {
 	if ($header{'host'} =~ /^\[(.+)\]:([0-9]+)$/) {
 		($host, $port) = ($1, $2);
--- a/webmin/change_access.cgi
+++ b/webmin/change_access.cgi
@@ -38,6 +38,7 @@ if ($in{"access"} == 1) { $miniserv{"allow"} = join(' ', @hosts); }
 elsif ($in{"access"} == 2) { $miniserv{"deny"} = join(' ', @hosts); }
 $miniserv{'libwrap'} = $in{'libwrap'};
 $miniserv{'alwaysresolve'} = $in{'alwaysresolve'};
+$miniserv{'trust_real_ip'} = $in{'trust'};
 &put_miniserv_config(\%miniserv);
 &unlock_file($ENV{'MINISERV_CONFIG'});
 &show_restart_page();
--- a/webmin/edit_access.cgi
+++ b/webmin/edit_access.cgi
@@ -27,6 +27,9 @@ print &ui_table_row($text{'access_ip'},
 print &ui_table_row($text{'access_always'},
 	&ui_yesno_radio("alwaysresolve", int($miniserv{'alwaysresolve'})));

+print &ui_table_row($text{'access_trust'},
+	&ui_yesno_radio("trust", int($miniserv{'trust_real_ip'})));
+
 eval "use Authen::Libwrap qw(hosts_ctl STRING_UNKNOWN)";
 if (!$@) {
 	print &ui_table_row($text{'access_libwrap'},