3
0
mirror of https://github.com/ergochat/ergo.git synced 2025-01-08 19:22:53 +01:00

fix PROXY protocol support for IPv6

1. Handle PROXY lines with IPv6 addresses starting with ::
(similar to WEBIRC in issue #211)

2. Strip v6 mapping from v4 addresses when handling proxied IPs.
This commit is contained in:
Shivaram Lingamneni 2018-09-03 00:19:10 -04:00
parent f0491c2254
commit 10d4f77638
5 changed files with 68 additions and 39 deletions

View File

@ -246,6 +246,8 @@ func (client *Client) run() {
// (may be overridden by a later PROXY command from stunnel) // (may be overridden by a later PROXY command from stunnel)
client.rawHostname = utils.AddrLookupHostname(client.socket.conn.RemoteAddr()) client.rawHostname = utils.AddrLookupHostname(client.socket.conn.RemoteAddr())
firstLine := true
for { for {
maxlenTags, maxlenRest := client.recomputeMaxlens() maxlenTags, maxlenRest := client.recomputeMaxlens()
@ -261,6 +263,19 @@ func (client *Client) run() {
client.server.logger.Debug("userinput", client.nick, "<- ", line) client.server.logger.Debug("userinput", client.nick, "<- ", line)
// special-cased handling of PROXY protocol, see `handleProxyCommand` for details:
if firstLine {
firstLine = false
if strings.HasPrefix(line, "PROXY") {
err = handleProxyCommand(client.server, client, line)
if err != nil {
break
} else {
continue
}
}
}
msg, err = ircmsg.ParseLineMaxLen(line, maxlenTags, maxlenRest) msg, err = ircmsg.ParseLineMaxLen(line, maxlenTags, maxlenRest)
if err == ircmsg.ErrorLineIsEmpty { if err == ircmsg.ErrorLineIsEmpty {
continue continue

View File

@ -215,11 +215,6 @@ func init() {
handler: privmsgHandler, handler: privmsgHandler,
minParams: 2, minParams: 2,
}, },
"PROXY": {
handler: proxyHandler,
usablePreReg: true,
minParams: 5,
},
"RENAME": { "RENAME": {
handler: renameHandler, handler: renameHandler,
minParams: 2, minParams: 2,

View File

@ -6,13 +6,20 @@
package irc package irc
import ( import (
"errors"
"fmt" "fmt"
"net" "net"
"strings"
"github.com/oragono/oragono/irc/modes" "github.com/oragono/oragono/irc/modes"
"github.com/oragono/oragono/irc/utils" "github.com/oragono/oragono/irc/utils"
) )
var (
errBadGatewayAddress = errors.New("PROXY/WEBIRC commands are not accepted from this IP address")
errBadProxyLine = errors.New("Invalid PROXY/WEBIRC command")
)
type webircConfig struct { type webircConfig struct {
PasswordString string `yaml:"password"` PasswordString string `yaml:"password"`
Password []byte `yaml:"password-bytes"` Password []byte `yaml:"password-bytes"`
@ -57,22 +64,29 @@ func isGatewayAllowed(addr net.Addr, gatewaySpec string) bool {
} }
// ApplyProxiedIP applies the given IP to the client. // ApplyProxiedIP applies the given IP to the client.
func (client *Client) ApplyProxiedIP(proxiedIP string, tls bool) (exiting bool) { func (client *Client) ApplyProxiedIP(proxiedIP string, tls bool) (success bool) {
// ensure IP is sane // ensure IP is sane
parsedProxiedIP := net.ParseIP(proxiedIP) parsedProxiedIP := net.ParseIP(proxiedIP)
if parsedProxiedIP == nil { if parsedProxiedIP == nil {
client.Quit(fmt.Sprintf(client.t("Proxied IP address is not valid: [%s]"), proxiedIP)) client.Quit(fmt.Sprintf(client.t("Proxied IP address is not valid: [%s]"), proxiedIP))
return true return false
}
// undo any mapping of v4 addresses into the v6 space: https://stackoverflow.com/a/1618259
// this is how a typical stunnel4 deployment on Linux will handle dual-stack
unmappedIP := parsedProxiedIP.To4()
if unmappedIP != nil {
parsedProxiedIP = unmappedIP
} }
isBanned, banMsg := client.server.checkBans(parsedProxiedIP) isBanned, banMsg := client.server.checkBans(parsedProxiedIP)
if isBanned { if isBanned {
client.Quit(banMsg) client.Quit(banMsg)
return true return false
} }
// given IP is sane! override the client's current IP // given IP is sane! override the client's current IP
rawHostname := utils.LookupHostname(proxiedIP) rawHostname := utils.LookupHostname(parsedProxiedIP.String())
client.stateMutex.Lock() client.stateMutex.Lock()
client.proxiedIP = parsedProxiedIP client.proxiedIP = parsedProxiedIP
client.rawHostname = rawHostname client.rawHostname = rawHostname
@ -83,5 +97,37 @@ func (client *Client) ApplyProxiedIP(proxiedIP string, tls bool) (exiting bool)
client.certfp = "" client.certfp = ""
client.SetMode(modes.TLS, tls) client.SetMode(modes.TLS, tls)
return false return true
}
// handle the PROXY command: http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
// PROXY must be sent as the first message in the session and has the syntax:
// PROXY TCP[46] SOURCEIP DESTIP SOURCEPORT DESTPORT\r\n
// unfortunately, an ipv6 SOURCEIP can start with a double colon; in this case,
// the message is invalid IRC and can't be parsed normally, hence the special handling.
func handleProxyCommand(server *Server, client *Client, line string) (err error) {
defer func() {
if err != nil {
client.Quit(client.t("Bad or unauthorized PROXY command"))
}
}()
params := strings.Fields(line)
if len(params) != 6 {
return errBadProxyLine
}
for _, gateway := range server.ProxyAllowedFrom() {
if isGatewayAllowed(client.socket.conn.RemoteAddr(), gateway) {
// assume PROXY connections are always secure
if client.ApplyProxiedIP(params[2], true) {
return nil
} else {
return errBadProxyLine
}
}
}
// real source IP is not authorized to issue PROXY:
return errBadGatewayAddress
} }

View File

@ -1910,26 +1910,6 @@ func privmsgHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *R
return false return false
} }
// PROXY TCP4/6 SOURCEIP DESTIP SOURCEPORT DESTPORT
// http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
func proxyHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *ResponseBuffer) bool {
// only allow unregistered clients to use this command
if client.Registered() || client.proxiedIP != nil {
return false
}
for _, gateway := range server.ProxyAllowedFrom() {
if isGatewayAllowed(client.socket.conn.RemoteAddr(), gateway) {
proxiedIP := msg.Params[1]
// assume PROXY connections are always secure
return client.ApplyProxiedIP(proxiedIP, true)
}
}
client.Quit(client.t("PROXY command is not usable from your address"))
return true
}
// QUIT [<reason>] // QUIT [<reason>]
func quitHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *ResponseBuffer) bool { func quitHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *ResponseBuffer) bool {
reason := "Quit" reason := "Quit"
@ -2416,7 +2396,7 @@ func webircHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *Re
if strings.HasPrefix(proxiedIP, "[") && strings.HasSuffix(proxiedIP, "]") { if strings.HasPrefix(proxiedIP, "[") && strings.HasSuffix(proxiedIP, "]") {
proxiedIP = proxiedIP[1 : len(proxiedIP)-1] proxiedIP = proxiedIP[1 : len(proxiedIP)-1]
} }
return client.ApplyProxiedIP(proxiedIP, secure) return !client.ApplyProxiedIP(proxiedIP, secure)
} }
} }
} }

View File

@ -385,13 +385,6 @@ Replies to a PING. Used to check link connectivity.`,
text: `PRIVMSG <target>{,<target>} <text to be sent> text: `PRIVMSG <target>{,<target>} <text to be sent>
Sends the text to the given targets as a PRIVMSG.`, Sends the text to the given targets as a PRIVMSG.`,
},
"proxy": {
oper: true, // not really, but it's restricted anyways
text: `PROXY TCP4/6 <sourceip> <destip> <sourceport> <destport>
Used by haproxy's PROXY v1 protocol, to allow for alternate TLS support:
http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt`,
}, },
"rename": { "rename": {
text: `RENAME <channel> <newname> [<reason>] text: `RENAME <channel> <newname> [<reason>]