sdgoij/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2026-01-17 01:30:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

reverseproxy: fix error when remote address is not an IP (#7429)

Browse Source
This commit is contained in:
Paulo Henrique
2026-01-13 16:52:56 -03:00
committed by GitHub
parent 5168acfb9c
commit 62134d65af
2 changed files with 44 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
modules/caddyhttp/reverseproxy/headers_test.go Normal file
View File

@@ -0,0 +1,34 @@
package reverseproxy
import (
"context"
"net/http/httptest"
"testing"
"github.com/caddyserver/caddy/v2/modules/caddyhttp"
)
func TestAddForwardedHeadersNonIP(t *testing.T) {
h := Handler{}
// Simulate a request with a non-IP remote address (e.g. SCION, abstract socket, or hostname)
req := httptest.NewRequest("GET", "/", nil)
req.RemoteAddr = "my-weird-network:12345"
// Mock the context variables required by Caddy.
// We need to inject the variable map manually since we aren't running the full server.
vars := map[string]interface{}{
caddyhttp.TrustedProxyVarKey: false,
}
ctx := context.WithValue(req.Context(), caddyhttp.VarsCtxKey, vars)
req = req.WithContext(ctx)
// Execute the unexported function
err := h.addForwardedHeaders(req)
// Expectation: No error should be returned for non-IP addresses.
// The function should simply skip the trusted proxy check.
if err != nil {
t.Errorf("expected no error for non-IP address, got: %v", err)
}
}

17
modules/caddyhttp/reverseproxy/reverseproxy.go
View File

@@ -789,16 +789,19 @@ func (h Handler) addForwardedHeaders(req *http.Request) error {
// to pull that out before parsing the IP
clientIP, _, _ = strings.Cut(clientIP, "%")
ipAddr, err := netip.ParseAddr(clientIP)
if err != nil {
return fmt.Errorf("invalid IP address: '%s': %v", clientIP, err)
}
// Check if the client is a trusted proxy
trusted := caddyhttp.GetVar(req.Context(), caddyhttp.TrustedProxyVarKey).(bool)
for _, ipRange := range h.trustedProxies {
if ipRange.Contains(ipAddr) {
trusted = true
break
// If ParseAddr fails (e.g. non-IP network like SCION), we cannot check
// if it is a trusted proxy by IP range. In this case, we ignore the
// error and treat the connection as untrusted (or retain existing status).
if err == nil {
for _, ipRange := range h.trustedProxies {
if ipRange.Contains(ipAddr) {
trusted = true
break
}
}
}