Add 'X-Forwarded-For' to (s)FTP requests (#20709)

Fixes #20707
2025-04-17 01:10:29 -04:00 · 2024-11-29 04:55:37 -08:00 · 2024-11-29 04:55:37 -08:00 · abd6bf060d
commit abd6bf060d
parent f0d4ef604c
3 changed files with 38 additions and 6 deletions
--- a/cmd/ftp-server-driver.go
+++ b/cmd/ftp-server-driver.go
@ -24,6 +24,8 @@ import (
 	"errors"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"os"
 	"path"
 	"strings"
@ -286,6 +288,10 @@ func (driver *ftpDriver) CheckPasswd(c *ftp.Context, username, password string)
 }
 func (driver *ftpDriver) getMinIOClient(ctx *ftp.Context) (*minio.Client, error) {
 	tr := http.RoundTripper(globalRemoteFTPClientTransport)
 	if host, _, err := net.SplitHostPort(ctx.Sess.RemoteAddr().String()); err == nil {
 		tr = forwardForTransport{tr: tr, fwd: host}
 	}
 	ui, ok := globalIAMSys.GetUser(context.Background(), ctx.Sess.LoginUser())
 	if !ok && !globalIAMSys.LDAPConfig.Enabled() {
 		return nil, errNoSuchUser
@ -363,7 +369,7 @@ func (driver *ftpDriver) getMinIOClient(ctx *ftp.Context) (*minio.Client, error)
 		return minio.New(driver.endpoint, &minio.Options{
 			Creds:     mcreds,
 			Secure:    globalIsTLS,
-			Transport: globalRemoteFTPClientTransport,
+			Transport: tr,
 		})
 	}
@ -377,7 +383,7 @@ func (driver *ftpDriver) getMinIOClient(ctx *ftp.Context) (*minio.Client, error)
 	return minio.New(driver.endpoint, &minio.Options{
 		Creds:     credentials.NewStaticV4(ui.Credentials.AccessKey, ui.Credentials.SecretKey, ""),
 		Secure:    globalIsTLS,
-		Transport: globalRemoteFTPClientTransport,
+		Transport: tr,
 	})
 }
--- a/cmd/sftp-server-driver.go
+++ b/cmd/sftp-server-driver.go
@ -23,6 +23,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
 	"net/http"
 	"os"
 	"path"
 	"strings"
@ -45,6 +46,7 @@ const ftpMaxWriteOffset = 100 << 20
 type sftpDriver struct {
 	permissions *ssh.Permissions
 	endpoint    string
 	remoteIP    string
 }
 //msgp:ignore sftpMetrics
@ -89,8 +91,12 @@ func (m *sftpMetrics) log(s *sftp.Request, user string) func(sz int64, err error
 // - sftp.Filewrite
 // - sftp.Filelist
 // - sftp.Filecmd
-func NewSFTPDriver(perms *ssh.Permissions) sftp.Handlers {
+func NewSFTPDriver(perms *ssh.Permissions, remoteIP string) sftp.Handlers {
-	handler := &sftpDriver{endpoint: fmt.Sprintf("127.0.0.1:%s", globalMinioPort), permissions: perms}
+	handler := &sftpDriver{
 		endpoint:    fmt.Sprintf("127.0.0.1:%s", globalMinioPort),
 		permissions: perms,
 		remoteIP:    remoteIP,
 	}
 	return sftp.Handlers{
 		FileGet:  handler,
 		FilePut:  handler,
@ -99,16 +105,31 @@ func NewSFTPDriver(perms *ssh.Permissions) sftp.Handlers {
 	}
 }
 type forwardForTransport struct {
 	tr  http.RoundTripper
 	fwd string
 }
 func (f forwardForTransport) RoundTrip(r *http.Request) (*http.Response, error) {
 	r.Header.Set("X-Forwarded-For", f.fwd)
 	return f.tr.RoundTrip(r)
 }
 func (f *sftpDriver) getMinIOClient() (*minio.Client, error) {
 	mcreds := credentials.NewStaticV4(
 		f.permissions.CriticalOptions["AccessKey"],
 		f.permissions.CriticalOptions["SecretKey"],
 		f.permissions.CriticalOptions["SessionToken"],
 	)
 	// Set X-Forwarded-For on all requests.
 	tr := http.RoundTripper(globalRemoteFTPClientTransport)
 	if f.remoteIP != "" {
 		tr = forwardForTransport{tr: tr, fwd: f.remoteIP}
 	}
 	return minio.New(f.endpoint, &minio.Options{
 		Creds:     mcreds,
 		Secure:    globalIsTLS,
-		Transport: globalRemoteFTPClientTransport,
+		Transport: tr,
 	})
 }
--- a/cmd/sftp-server.go
+++ b/cmd/sftp-server.go
@ -488,7 +488,12 @@ func startSFTPServer(args []string) {
 	sshConfig.AddHostKey(private)
 	handleSFTPSession := func(channel ssh.Channel, sconn *ssh.ServerConn) {
-		server := sftp.NewRequestServer(channel, NewSFTPDriver(sconn.Permissions), sftp.WithRSAllocator())
+		var remoteIP string
 		if host, _, err := net.SplitHostPort(sconn.RemoteAddr().String()); err == nil {
 			remoteIP = host
 		}
 		server := sftp.NewRequestServer(channel, NewSFTPDriver(sconn.Permissions, remoteIP), sftp.WithRSAllocator())
 		defer server.Close()
 		server.Serve()
 	}