~emersion/kimchi

a7e41c2c0a32673a72cbd43a2830f04579c12a05 — Simon Ser 7 months ago 38a9847
Read remote addr from proxy header

This allows X-Forwarded-For headers to have the correct value.
1 files changed, 16 insertions(+), 5 deletions(-)

M server.go
M server.go => server.go +16 -5
@@ 134,11 134,16 @@ func (ln *Listener) serve(netLn net.Listener) error {
func (ln *Listener) serveConn(conn net.Conn) error {
	var proto string
	var tlsState *tls.ConnectionState
	remoteAddr := conn.RemoteAddr()
	// TODO: read proto and TLS state from conn, if it's a TLS connection

	// TODO: only accept PROXY protocol from trusted sources
	proxyConn := proxyproto.NewConn(conn)
	if proxyHeader := proxyConn.ProxyHeader(); proxyHeader != nil {
		if proxyHeader.SourceAddr != nil {
			remoteAddr = proxyHeader.SourceAddr
		}

		tlvs, err := proxyHeader.TLVs()
		if err != nil {
			conn.Close()


@@ 156,9 161,10 @@ func (ln *Listener) serveConn(conn net.Conn) error {
	conn = proxyConn

	conn = &Conn{
		Conn:     conn,
		proto:    proto,
		tlsState: tlsState,
		Conn:       conn,
		proto:      proto,
		tlsState:   tlsState,
		remoteAddr: remoteAddr,
	}

	switch proto {


@@ 205,8 211,9 @@ func parseSSLTLV(tlv proxyproto.TLV) *tls.ConnectionState {

type Conn struct {
	net.Conn
	proto    string
	tlsState *tls.ConnectionState
	proto      string
	tlsState   *tls.ConnectionState
	remoteAddr net.Addr
}

func (c *Conn) Context(ctx context.Context) context.Context {


@@ 215,6 222,10 @@ func (c *Conn) Context(ctx context.Context) context.Context {
	return ctx
}

func (c *Conn) RemoteAddr() net.Addr {
	return c.remoteAddr
}

var errPipeListenerClosed = fmt.Errorf("pipe listener closed")

// pipeListener is a hack to workaround the lack of http.Server.ServeConn.