Check X-Forwarded-For on sockets (resolves #528)
This commit is contained in:
parent
432ee7bc30
commit
bfe76dae0e
|
@ -130,11 +130,45 @@ function addTypecheckedFunctions(sock) {
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function ipForwardingMiddleware(webConfig) {
|
||||||
|
function getForwardedIP(socket) {
|
||||||
|
var req = socket.client.request;
|
||||||
|
const xForwardedFor = req.headers['x-forwarded-for'];
|
||||||
|
if (!xForwardedFor) {
|
||||||
|
return socket.client.conn.remoteAddress;
|
||||||
|
}
|
||||||
|
|
||||||
|
const ipList = xForwardedFor.split(',');
|
||||||
|
for (let i = 0; i < ipList.length; i++) {
|
||||||
|
const ip = ipList[i].trim();
|
||||||
|
if (net.isIP(ip)) {
|
||||||
|
return ip;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return socket.client.conn.remoteAddress;
|
||||||
|
}
|
||||||
|
|
||||||
|
function isTrustedProxy(ip) {
|
||||||
|
return webConfig.getTrustedProxies().indexOf(ip) >= 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
return function (socket, accept) {
|
||||||
|
if (isTrustedProxy(socket.client.conn.remoteAddress)) {
|
||||||
|
socket._realip = getForwardedIP(socket);
|
||||||
|
} else {
|
||||||
|
socket._realip = socket.client.conn.remoteAddress;
|
||||||
|
}
|
||||||
|
|
||||||
|
accept(null, true);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Called after a connection is accepted
|
* Called after a connection is accepted
|
||||||
*/
|
*/
|
||||||
function handleConnection(sock) {
|
function handleConnection(sock) {
|
||||||
var ip = sock.client.conn.remoteAddress;
|
var ip = sock._realip;
|
||||||
if (!ip) {
|
if (!ip) {
|
||||||
sock.emit("kick", {
|
sock.emit("kick", {
|
||||||
reason: "Your IP address could not be determined from the socket connection. See https://github.com/Automattic/socket.io/issues/1737 for details"
|
reason: "Your IP address could not be determined from the socket connection. See https://github.com/Automattic/socket.io/issues/1737 for details"
|
||||||
|
@ -144,8 +178,8 @@ function handleConnection(sock) {
|
||||||
|
|
||||||
if (net.isIPv6(ip)) {
|
if (net.isIPv6(ip)) {
|
||||||
ip = util.expandIPv6(ip);
|
ip = util.expandIPv6(ip);
|
||||||
|
sock._realip = ip;
|
||||||
}
|
}
|
||||||
sock._realip = ip;
|
|
||||||
sock._displayip = $util.cloakIP(ip);
|
sock._displayip = $util.cloakIP(ip);
|
||||||
|
|
||||||
if (isTorExit(ip)) {
|
if (isTorExit(ip)) {
|
||||||
|
@ -206,11 +240,12 @@ function handleConnection(sock) {
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = {
|
module.exports = {
|
||||||
init: function (srv) {
|
init: function (srv, webConfig) {
|
||||||
var bound = {};
|
var bound = {};
|
||||||
var io = sio.instance = sio();
|
var io = sio.instance = sio();
|
||||||
|
|
||||||
io.use(handleAuth);
|
io.use(handleAuth);
|
||||||
|
io.use(ipForwardingMiddleware(webConfig));
|
||||||
io.on("connection", handleConnection);
|
io.on("connection", handleConnection);
|
||||||
|
|
||||||
Config.get("listen").forEach(function (bind) {
|
Config.get("listen").forEach(function (bind) {
|
||||||
|
|
|
@ -126,7 +126,7 @@ var Server = function () {
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
require("./io/ioserver").init(self);
|
require("./io/ioserver").init(self, webConfig);
|
||||||
|
|
||||||
// background tasks init ----------------------------------------------
|
// background tasks init ----------------------------------------------
|
||||||
require("./bgtask")(self);
|
require("./bgtask")(self);
|
||||||
|
|
|
@ -35,6 +35,9 @@ export default function initialize(app, webConfig) {
|
||||||
if (isTrustedProxy(req.ip)) {
|
if (isTrustedProxy(req.ip)) {
|
||||||
req.realIP = getForwardedIP(req);
|
req.realIP = getForwardedIP(req);
|
||||||
req.realProtocol = getForwardedProto(req);
|
req.realProtocol = getForwardedProto(req);
|
||||||
|
} else {
|
||||||
|
req.realIP = req.ip;
|
||||||
|
req.realProtocol = req.protocol;
|
||||||
}
|
}
|
||||||
|
|
||||||
next();
|
next();
|
||||||
|
|
Loading…
Reference in a new issue