MyFavMirrors
/
MeshCentral
mirror of https://github.com/Ylianst/MeshCentral.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

x-forwarded-host improvements.

This commit is contained in:
Ylian Saint-Hilaire 2020-11-28 19:30:07 -08:00
parent 4f4d20649a
commit de31acf940
1 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
webserver.js
View File

@ -4853,13 +4853,14 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
obj.app.use(function (req, res, next) { obj.app.use(function (req, res, next) {
// Set the real IP address of the request // Set the real IP address of the request
// If a trusted reverse-proxy is sending us the remote IP address, use it. // If a trusted reverse-proxy is sending us the remote IP address, use it.
var ipex = '0.0.0.0'; var ipex = '0.0.0.0', serverHost = req.headers.host;
if (typeof req.ip == 'string') { ipex = (req.ip.startsWith('::ffff:')) ? req.ip.substring(7) : req.ip; } if (typeof req.connection.remoteAddress == 'string') { ipex = (req.connection.remoteAddress.startsWith('::ffff:')) ? req.connection.remoteAddress.substring(7) : req.connection.remoteAddress; }
if ( if (
(obj.args.trustedproxy === true) || (obj.args.trustedproxy === true) ||
((typeof obj.args.trustedproxy == 'object') && (obj.args.trustedproxy.indexOf(ipex) >= 0)) || ((typeof obj.args.trustedproxy == 'object') && (obj.args.trustedproxy.indexOf(ipex) >= 0)) ||
((typeof obj.args.tlsoffload == 'object') && (obj.args.tlsoffload.indexOf(ipex) >= 0)) ((typeof obj.args.tlsoffload == 'object') && (obj.args.tlsoffload.indexOf(ipex) >= 0))
) { ) {
// Get client IP
if (req.headers['cf-connecting-ip']) { // Use CloudFlare IP address if present if (req.headers['cf-connecting-ip']) { // Use CloudFlare IP address if present
req.clientIp = req.headers['cf-connecting-ip'].split(',')[0].trim(); req.clientIp = req.headers['cf-connecting-ip'].split(',')[0].trim();
} else if (req.headers['x-forwarded-for']) { } else if (req.headers['x-forwarded-for']) {
@ -4869,6 +4870,9 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
} else { } else {
req.clientIp = ipex; req.clientIp = ipex;
} }
// Get server host
if (req.headers['x-forwarded-host']) { serverHost = req.headers['x-forwarded-host']; }
} else { } else {
req.clientIp = ipex; req.clientIp = ipex;
} }
@ -4887,9 +4891,9 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
res.set(domain.httpheaders); res.set(domain.httpheaders);
} else { } else {
// Use default security headers // Use default security headers
var geourl = (domain.geolocation ? ' *.openstreetmap.org' : ''); const geourl = (domain.geolocation ? ' *.openstreetmap.org' : '');
var selfurl = req.headers['x-forwarded-host'] ? (' wss://' + req.headers['x-forwarded-host']) : (' wss://' + req.headers.host); const selfurl = ' wss://' + serverHost;
var headers = { const headers = {
'Referrer-Policy': 'no-referrer', 'Referrer-Policy': 'no-referrer',
'X-XSS-Protection': '1; mode=block', 'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff', 'X-Content-Type-Options': 'nosniff',
@ -4928,7 +4932,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
// Set the real IP address of the request // Set the real IP address of the request
// If a trusted reverse-proxy is sending us the remote IP address, use it. // If a trusted reverse-proxy is sending us the remote IP address, use it.
var ipex = '0.0.0.0'; var ipex = '0.0.0.0';
if (typeof req.ip == 'string') { ipex = (req.ip.startsWith('::ffff:')) ? req.ip.substring(7) : req.ip; } if (typeof req.connection.remoteAddress == 'string') { ipex = (req.connection.remoteAddress.startsWith('::ffff:')) ? req.connection.remoteAddress.substring(7) : req.connection.remoteAddress; }
if ( if (
(obj.args.trustedproxy === true) || (obj.args.trustedproxy === true) ||
((typeof obj.args.trustedproxy == 'object') && (obj.args.trustedproxy.indexOf(ipex) >= 0)) || ((typeof obj.args.trustedproxy == 'object') && (obj.args.trustedproxy.indexOf(ipex) >= 0)) ||