PROXY: Restrict to specified addresses/hostnames

2024-11-10 22:19:31 +01:00 · 2016-04-21 16:39:31 +10:00 · 2016-04-21 16:39:31 +10:00 · 8885f14f19
commit 8885f14f19
parent 77bf7173ff
4 changed files with 54 additions and 36 deletions
--- a/irc/client.go
+++ b/irc/client.go
@ -63,8 +63,7 @@ func (client *Client) run() {

 	// Set the hostname for this client. The client may later send a PROXY
 	// command from stunnel that sets the hostname to something more accurate.
-	client.send(NewProxyCommand(AddrLookupHostname(
-		client.socket.conn.RemoteAddr())))
+	client.hostname = AddrLookupHostname(client.socket.conn.RemoteAddr())

 	for err == nil {
 		//TODO(dan): does this read sockets correctly and split lines properly? (think that ZNC bug that kept happening with mammon)
--- a/irc/config.go
+++ b/irc/config.go
@ -52,6 +52,7 @@ type Config struct {
 		Wslisten         string
 		Log              string
 		MOTD             string
+		ProxyAllowedFrom []string `yaml:"proxy-allowed-from"`
 	}

 	SSLListener map[string]*SSLListenConfig
--- a/irc/server.go
+++ b/irc/server.go
@ -38,6 +38,7 @@ type Server struct {
 	operators        map[Name][]byte
 	password         []byte
 	signals          chan os.Signal
+	proxyAllowedFrom []string
 	whoWas           *WhoWasList
 	theaters         map[Name][]byte
 	isupport         *ISupportList
@ -60,6 +61,7 @@ func NewServer(config *Config) *Server {
 		newConns:         make(chan net.Conn),
 		operators:        config.Operators(),
 		signals:          make(chan os.Signal, len(SERVER_SIGNALS)),
+		proxyAllowedFrom: config.Server.ProxyAllowedFrom,
 		whoWas:           NewWhoWasList(100),
 		theaters:         config.Theaters(),
 	}
@ -369,7 +371,18 @@ func (msg *PassCommand) HandleRegServer(server *Server) {
 }

 func (msg *ProxyCommand) HandleRegServer(server *Server) {
-	msg.Client().hostname = msg.hostname
+	client := msg.Client()
+	clientAddress := IPString(client.socket.conn.RemoteAddr()).String()
+	clientHostname := client.hostname.String()
+
+	for _, address := range server.proxyAllowedFrom {
+		if clientHostname == address || clientAddress == address {
+			client.hostname = msg.hostname
+			return
+		}
+	}
+
+	client.Quit("PROXY command is not usable from your address")
 }

 func (msg *UserCommand) HandleRegServer(server *Server) {
--- a/oragono.yaml
+++ b/oragono.yaml
@ -34,6 +34,11 @@ server:
    # if you change the motd, you should move it to ircd.motd
    motd: oragono.motd

+    # addresses/hostnames the PROXY command can be used from
+    proxy-allowed-from:
+        - "localhost"
+        - "127.0.0.1"
+
 # ssl listeners
 ssllistener:
    # listener on ":6697"