From 20c014ba8d4874365167a5ba9fa66a32cb6a3c11 Mon Sep 17 00:00:00 2001 From: Kyle Duren Date: Mon, 6 Jan 2025 00:57:53 +0000 Subject: [PATCH] Adding test and some docs --- docs/config.md | 3 ++- server/server_test.go | 18 ++++++++++++++++-- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/docs/config.md b/docs/config.md index 9479301a..c92493fb 100644 --- a/docs/config.md +++ b/docs/config.md @@ -555,12 +555,13 @@ Whatever your reasons may be, there are a few things to consider. If you are running ntfy behind a proxy, you should set the `behind-proxy` flag. This will instruct the [rate limiting](#rate-limiting) logic to use the `X-Forwarded-For` header as the primary identifier for a visitor, as opposed to the remote IP address. If the `behind-proxy` flag is not set, all visitors will -be counted as one, because from the perspective of the ntfy server, they all share the proxy's IP address. +be counted as one, because from the perspective of the ntfy server, they all share the proxy's IP address. If your proxy or CDN provider uses a custom header to securely pass the source IP/Client IP to your application, you can specify that header instead of using the XFF. Using the custom header (unique per provide/cdn/proxy), will disable the use of the XFF header. === "/etc/ntfy/server.yml" ``` yaml # Tell ntfy to use "X-Forwarded-For" to identify visitors behind-proxy: true + proxy-client-ip-header: "X-Client-IP" ``` ### TLS/SSL diff --git a/server/server_test.go b/server/server_test.go index 75379f8f..42271928 100644 --- a/server/server_test.go +++ b/server/server_test.go @@ -7,8 +7,6 @@ import ( "encoding/base64" "encoding/json" "fmt" - "golang.org/x/crypto/bcrypt" - "heckel.io/ntfy/v2/user" "io" "net/http" "net/http/httptest" @@ -22,6 +20,9 @@ import ( "testing" "time" + "golang.org/x/crypto/bcrypt" + "heckel.io/ntfy/v2/user" + "github.com/SherClockHolmes/webpush-go" "github.com/stretchr/testify/require" "heckel.io/ntfy/v2/log" @@ -2181,6 +2182,19 @@ func TestServer_Visitor_XForwardedFor_Multiple(t *testing.T) { require.Equal(t, "234.5.2.1", v.ip.String()) } +func TestServer_Visitor_Custom_ClientIP_Header(t *testing.T) { + c := newTestConfig(t) + c.BehindProxy = true + c.ProxyClientIPHeader = "X-Client-IP" + s := newTestServer(t, c) + r, _ := http.NewRequest("GET", "/bla", nil) + r.RemoteAddr = "8.9.10.11" + r.Header.Set("X-Client-IP", "1.2.3.4") + v, err := s.maybeAuthenticate(r) + require.Nil(t, err) + require.Equal(t, "1.2.3.4", v.ip.String()) +} + func TestServer_PublishWhileUpdatingStatsWithLotsOfMessages(t *testing.T) { t.Parallel() count := 50000