mirror of
https://github.com/ergochat/ergo.git
synced 2025-01-08 19:22:53 +01:00
fix PROXY protocol support for IPv6
1. Handle PROXY lines with IPv6 addresses starting with :: (similar to WEBIRC in issue #211) 2. Strip v6 mapping from v4 addresses when handling proxied IPs.
This commit is contained in:
parent
f0491c2254
commit
10d4f77638
@ -246,6 +246,8 @@ func (client *Client) run() {
|
|||||||
// (may be overridden by a later PROXY command from stunnel)
|
// (may be overridden by a later PROXY command from stunnel)
|
||||||
client.rawHostname = utils.AddrLookupHostname(client.socket.conn.RemoteAddr())
|
client.rawHostname = utils.AddrLookupHostname(client.socket.conn.RemoteAddr())
|
||||||
|
|
||||||
|
firstLine := true
|
||||||
|
|
||||||
for {
|
for {
|
||||||
maxlenTags, maxlenRest := client.recomputeMaxlens()
|
maxlenTags, maxlenRest := client.recomputeMaxlens()
|
||||||
|
|
||||||
@ -261,6 +263,19 @@ func (client *Client) run() {
|
|||||||
|
|
||||||
client.server.logger.Debug("userinput", client.nick, "<- ", line)
|
client.server.logger.Debug("userinput", client.nick, "<- ", line)
|
||||||
|
|
||||||
|
// special-cased handling of PROXY protocol, see `handleProxyCommand` for details:
|
||||||
|
if firstLine {
|
||||||
|
firstLine = false
|
||||||
|
if strings.HasPrefix(line, "PROXY") {
|
||||||
|
err = handleProxyCommand(client.server, client, line)
|
||||||
|
if err != nil {
|
||||||
|
break
|
||||||
|
} else {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
msg, err = ircmsg.ParseLineMaxLen(line, maxlenTags, maxlenRest)
|
msg, err = ircmsg.ParseLineMaxLen(line, maxlenTags, maxlenRest)
|
||||||
if err == ircmsg.ErrorLineIsEmpty {
|
if err == ircmsg.ErrorLineIsEmpty {
|
||||||
continue
|
continue
|
||||||
|
@ -215,11 +215,6 @@ func init() {
|
|||||||
handler: privmsgHandler,
|
handler: privmsgHandler,
|
||||||
minParams: 2,
|
minParams: 2,
|
||||||
},
|
},
|
||||||
"PROXY": {
|
|
||||||
handler: proxyHandler,
|
|
||||||
usablePreReg: true,
|
|
||||||
minParams: 5,
|
|
||||||
},
|
|
||||||
"RENAME": {
|
"RENAME": {
|
||||||
handler: renameHandler,
|
handler: renameHandler,
|
||||||
minParams: 2,
|
minParams: 2,
|
||||||
|
@ -6,13 +6,20 @@
|
|||||||
package irc
|
package irc
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net"
|
"net"
|
||||||
|
"strings"
|
||||||
|
|
||||||
"github.com/oragono/oragono/irc/modes"
|
"github.com/oragono/oragono/irc/modes"
|
||||||
"github.com/oragono/oragono/irc/utils"
|
"github.com/oragono/oragono/irc/utils"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
errBadGatewayAddress = errors.New("PROXY/WEBIRC commands are not accepted from this IP address")
|
||||||
|
errBadProxyLine = errors.New("Invalid PROXY/WEBIRC command")
|
||||||
|
)
|
||||||
|
|
||||||
type webircConfig struct {
|
type webircConfig struct {
|
||||||
PasswordString string `yaml:"password"`
|
PasswordString string `yaml:"password"`
|
||||||
Password []byte `yaml:"password-bytes"`
|
Password []byte `yaml:"password-bytes"`
|
||||||
@ -57,22 +64,29 @@ func isGatewayAllowed(addr net.Addr, gatewaySpec string) bool {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// ApplyProxiedIP applies the given IP to the client.
|
// ApplyProxiedIP applies the given IP to the client.
|
||||||
func (client *Client) ApplyProxiedIP(proxiedIP string, tls bool) (exiting bool) {
|
func (client *Client) ApplyProxiedIP(proxiedIP string, tls bool) (success bool) {
|
||||||
// ensure IP is sane
|
// ensure IP is sane
|
||||||
parsedProxiedIP := net.ParseIP(proxiedIP)
|
parsedProxiedIP := net.ParseIP(proxiedIP)
|
||||||
if parsedProxiedIP == nil {
|
if parsedProxiedIP == nil {
|
||||||
client.Quit(fmt.Sprintf(client.t("Proxied IP address is not valid: [%s]"), proxiedIP))
|
client.Quit(fmt.Sprintf(client.t("Proxied IP address is not valid: [%s]"), proxiedIP))
|
||||||
return true
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
// undo any mapping of v4 addresses into the v6 space: https://stackoverflow.com/a/1618259
|
||||||
|
// this is how a typical stunnel4 deployment on Linux will handle dual-stack
|
||||||
|
unmappedIP := parsedProxiedIP.To4()
|
||||||
|
if unmappedIP != nil {
|
||||||
|
parsedProxiedIP = unmappedIP
|
||||||
}
|
}
|
||||||
|
|
||||||
isBanned, banMsg := client.server.checkBans(parsedProxiedIP)
|
isBanned, banMsg := client.server.checkBans(parsedProxiedIP)
|
||||||
if isBanned {
|
if isBanned {
|
||||||
client.Quit(banMsg)
|
client.Quit(banMsg)
|
||||||
return true
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
// given IP is sane! override the client's current IP
|
// given IP is sane! override the client's current IP
|
||||||
rawHostname := utils.LookupHostname(proxiedIP)
|
rawHostname := utils.LookupHostname(parsedProxiedIP.String())
|
||||||
client.stateMutex.Lock()
|
client.stateMutex.Lock()
|
||||||
client.proxiedIP = parsedProxiedIP
|
client.proxiedIP = parsedProxiedIP
|
||||||
client.rawHostname = rawHostname
|
client.rawHostname = rawHostname
|
||||||
@ -83,5 +97,37 @@ func (client *Client) ApplyProxiedIP(proxiedIP string, tls bool) (exiting bool)
|
|||||||
client.certfp = ""
|
client.certfp = ""
|
||||||
client.SetMode(modes.TLS, tls)
|
client.SetMode(modes.TLS, tls)
|
||||||
|
|
||||||
return false
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
// handle the PROXY command: http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
// PROXY must be sent as the first message in the session and has the syntax:
|
||||||
|
// PROXY TCP[46] SOURCEIP DESTIP SOURCEPORT DESTPORT\r\n
|
||||||
|
// unfortunately, an ipv6 SOURCEIP can start with a double colon; in this case,
|
||||||
|
// the message is invalid IRC and can't be parsed normally, hence the special handling.
|
||||||
|
func handleProxyCommand(server *Server, client *Client, line string) (err error) {
|
||||||
|
defer func() {
|
||||||
|
if err != nil {
|
||||||
|
client.Quit(client.t("Bad or unauthorized PROXY command"))
|
||||||
|
}
|
||||||
|
}()
|
||||||
|
|
||||||
|
params := strings.Fields(line)
|
||||||
|
if len(params) != 6 {
|
||||||
|
return errBadProxyLine
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, gateway := range server.ProxyAllowedFrom() {
|
||||||
|
if isGatewayAllowed(client.socket.conn.RemoteAddr(), gateway) {
|
||||||
|
// assume PROXY connections are always secure
|
||||||
|
if client.ApplyProxiedIP(params[2], true) {
|
||||||
|
return nil
|
||||||
|
} else {
|
||||||
|
return errBadProxyLine
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// real source IP is not authorized to issue PROXY:
|
||||||
|
return errBadGatewayAddress
|
||||||
}
|
}
|
||||||
|
@ -1910,26 +1910,6 @@ func privmsgHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *R
|
|||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
// PROXY TCP4/6 SOURCEIP DESTIP SOURCEPORT DESTPORT
|
|
||||||
// http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
func proxyHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *ResponseBuffer) bool {
|
|
||||||
// only allow unregistered clients to use this command
|
|
||||||
if client.Registered() || client.proxiedIP != nil {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, gateway := range server.ProxyAllowedFrom() {
|
|
||||||
if isGatewayAllowed(client.socket.conn.RemoteAddr(), gateway) {
|
|
||||||
proxiedIP := msg.Params[1]
|
|
||||||
|
|
||||||
// assume PROXY connections are always secure
|
|
||||||
return client.ApplyProxiedIP(proxiedIP, true)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
client.Quit(client.t("PROXY command is not usable from your address"))
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
|
|
||||||
// QUIT [<reason>]
|
// QUIT [<reason>]
|
||||||
func quitHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *ResponseBuffer) bool {
|
func quitHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *ResponseBuffer) bool {
|
||||||
reason := "Quit"
|
reason := "Quit"
|
||||||
@ -2416,7 +2396,7 @@ func webircHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *Re
|
|||||||
if strings.HasPrefix(proxiedIP, "[") && strings.HasSuffix(proxiedIP, "]") {
|
if strings.HasPrefix(proxiedIP, "[") && strings.HasSuffix(proxiedIP, "]") {
|
||||||
proxiedIP = proxiedIP[1 : len(proxiedIP)-1]
|
proxiedIP = proxiedIP[1 : len(proxiedIP)-1]
|
||||||
}
|
}
|
||||||
return client.ApplyProxiedIP(proxiedIP, secure)
|
return !client.ApplyProxiedIP(proxiedIP, secure)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -385,13 +385,6 @@ Replies to a PING. Used to check link connectivity.`,
|
|||||||
text: `PRIVMSG <target>{,<target>} <text to be sent>
|
text: `PRIVMSG <target>{,<target>} <text to be sent>
|
||||||
|
|
||||||
Sends the text to the given targets as a PRIVMSG.`,
|
Sends the text to the given targets as a PRIVMSG.`,
|
||||||
},
|
|
||||||
"proxy": {
|
|
||||||
oper: true, // not really, but it's restricted anyways
|
|
||||||
text: `PROXY TCP4/6 <sourceip> <destip> <sourceport> <destport>
|
|
||||||
|
|
||||||
Used by haproxy's PROXY v1 protocol, to allow for alternate TLS support:
|
|
||||||
http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt`,
|
|
||||||
},
|
},
|
||||||
"rename": {
|
"rename": {
|
||||||
text: `RENAME <channel> <newname> [<reason>]
|
text: `RENAME <channel> <newname> [<reason>]
|
||||||
|
Loading…
Reference in New Issue
Block a user