Check X-Forwarded-For on sockets (resolves #528)

This commit is contained in:
calzoneman 2015-12-12 16:59:58 -08:00
parent 432ee7bc30
commit bfe76dae0e
3 changed files with 42 additions and 4 deletions

View File

@ -130,11 +130,45 @@ function addTypecheckedFunctions(sock) {
};
}
function ipForwardingMiddleware(webConfig) {
function getForwardedIP(socket) {
var req = socket.client.request;
const xForwardedFor = req.headers['x-forwarded-for'];
if (!xForwardedFor) {
return socket.client.conn.remoteAddress;
}
const ipList = xForwardedFor.split(',');
for (let i = 0; i < ipList.length; i++) {
const ip = ipList[i].trim();
if (net.isIP(ip)) {
return ip;
}
}
return socket.client.conn.remoteAddress;
}
function isTrustedProxy(ip) {
return webConfig.getTrustedProxies().indexOf(ip) >= 0;
}
return function (socket, accept) {
if (isTrustedProxy(socket.client.conn.remoteAddress)) {
socket._realip = getForwardedIP(socket);
} else {
socket._realip = socket.client.conn.remoteAddress;
}
accept(null, true);
}
}
/**
* Called after a connection is accepted
*/
function handleConnection(sock) {
var ip = sock.client.conn.remoteAddress;
var ip = sock._realip;
if (!ip) {
sock.emit("kick", {
reason: "Your IP address could not be determined from the socket connection. See https://github.com/Automattic/socket.io/issues/1737 for details"
@ -144,8 +178,8 @@ function handleConnection(sock) {
if (net.isIPv6(ip)) {
ip = util.expandIPv6(ip);
}
sock._realip = ip;
}
sock._displayip = $util.cloakIP(ip);
if (isTorExit(ip)) {
@ -206,11 +240,12 @@ function handleConnection(sock) {
}
module.exports = {
init: function (srv) {
init: function (srv, webConfig) {
var bound = {};
var io = sio.instance = sio();
io.use(handleAuth);
io.use(ipForwardingMiddleware(webConfig));
io.on("connection", handleConnection);
Config.get("listen").forEach(function (bind) {

View File

@ -126,7 +126,7 @@ var Server = function () {
}
});
require("./io/ioserver").init(self);
require("./io/ioserver").init(self, webConfig);
// background tasks init ----------------------------------------------
require("./bgtask")(self);

View File

@ -35,6 +35,9 @@ export default function initialize(app, webConfig) {
if (isTrustedProxy(req.ip)) {
req.realIP = getForwardedIP(req);
req.realProtocol = getForwardedProto(req);
} else {
req.realIP = req.ip;
req.realProtocol = req.protocol;
}
next();