From 8885f14f1987173bcbcd83b20f886ce8efe928f7 Mon Sep 17 00:00:00 2001 From: Daniel Oaks Date: Thu, 21 Apr 2016 16:39:31 +1000 Subject: [PATCH] PROXY: Restrict to specified addresses/hostnames --- irc/client.go | 3 +-- irc/config.go | 13 +++++----- irc/server.go | 69 ++++++++++++++++++++++++++++++--------------------- oragono.yaml | 5 ++++ 4 files changed, 54 insertions(+), 36 deletions(-) diff --git a/irc/client.go b/irc/client.go index 1cbdf73a..41bbe449 100644 --- a/irc/client.go +++ b/irc/client.go @@ -63,8 +63,7 @@ func (client *Client) run() { // Set the hostname for this client. The client may later send a PROXY // command from stunnel that sets the hostname to something more accurate. - client.send(NewProxyCommand(AddrLookupHostname( - client.socket.conn.RemoteAddr()))) + client.hostname = AddrLookupHostname(client.socket.conn.RemoteAddr()) for err == nil { //TODO(dan): does this read sockets correctly and split lines properly? (think that ZNC bug that kept happening with mammon) diff --git a/irc/config.go b/irc/config.go index 8072768e..571f0a58 100644 --- a/irc/config.go +++ b/irc/config.go @@ -46,12 +46,13 @@ type Config struct { Server struct { PassConfig - Name string - Database string - Listen []string - Wslisten string - Log string - MOTD string + Name string + Database string + Listen []string + Wslisten string + Log string + MOTD string + ProxyAllowedFrom []string `yaml:"proxy-allowed-from"` } SSLListener map[string]*SSLListenConfig diff --git a/irc/server.go b/irc/server.go index e8ba0fd0..925f8488 100644 --- a/irc/server.go +++ b/irc/server.go @@ -26,21 +26,22 @@ type RegServerCommand interface { } type Server struct { - channels ChannelNameMap - clients *ClientLookupSet - commands chan Command - ctime time.Time - db *sql.DB - idle chan *Client - motdLines []string - name Name - newConns chan net.Conn - operators map[Name][]byte - password []byte - signals chan os.Signal - whoWas *WhoWasList - theaters map[Name][]byte - isupport *ISupportList + channels ChannelNameMap + clients *ClientLookupSet + commands chan Command + ctime time.Time + db *sql.DB + idle chan *Client + motdLines []string + name Name + newConns chan net.Conn + operators map[Name][]byte + password []byte + signals chan os.Signal + proxyAllowedFrom []string + whoWas *WhoWasList + theaters map[Name][]byte + isupport *ISupportList } var ( @@ -50,18 +51,19 @@ var ( func NewServer(config *Config) *Server { server := &Server{ - channels: make(ChannelNameMap), - clients: NewClientLookupSet(), - commands: make(chan Command), - ctime: time.Now(), - db: OpenDB(config.Server.Database), - idle: make(chan *Client), - name: NewName(config.Server.Name), - newConns: make(chan net.Conn), - operators: config.Operators(), - signals: make(chan os.Signal, len(SERVER_SIGNALS)), - whoWas: NewWhoWasList(100), - theaters: config.Theaters(), + channels: make(ChannelNameMap), + clients: NewClientLookupSet(), + commands: make(chan Command), + ctime: time.Now(), + db: OpenDB(config.Server.Database), + idle: make(chan *Client), + name: NewName(config.Server.Name), + newConns: make(chan net.Conn), + operators: config.Operators(), + signals: make(chan os.Signal, len(SERVER_SIGNALS)), + proxyAllowedFrom: config.Server.ProxyAllowedFrom, + whoWas: NewWhoWasList(100), + theaters: config.Theaters(), } // ensure that there is a minimum number of args specified for every command @@ -369,7 +371,18 @@ func (msg *PassCommand) HandleRegServer(server *Server) { } func (msg *ProxyCommand) HandleRegServer(server *Server) { - msg.Client().hostname = msg.hostname + client := msg.Client() + clientAddress := IPString(client.socket.conn.RemoteAddr()).String() + clientHostname := client.hostname.String() + + for _, address := range server.proxyAllowedFrom { + if clientHostname == address || clientAddress == address { + client.hostname = msg.hostname + return + } + } + + client.Quit("PROXY command is not usable from your address") } func (msg *UserCommand) HandleRegServer(server *Server) { diff --git a/oragono.yaml b/oragono.yaml index f3de0013..a16cdf4e 100644 --- a/oragono.yaml +++ b/oragono.yaml @@ -34,6 +34,11 @@ server: # if you change the motd, you should move it to ircd.motd motd: oragono.motd + # addresses/hostnames the PROXY command can be used from + proxy-allowed-from: + - "localhost" + - "127.0.0.1" + # ssl listeners ssllistener: # listener on ":6697"