Docs, rename proxy-trusted-(addresses->hosts)

2025-07-20 10:04:08 +00:00 · 2025-07-05 22:35:26 +02:00 · 2025-07-05 22:35:26 +02:00 · 677b44ce61
commit 677b44ce61
parent 000248e6aa
13 changed files with 532 additions and 515 deletions
--- a/server/config.go
+++ b/server/config.go
@ -135,7 +135,7 @@ type Config struct {
 	VisitorAttachmentDailyBandwidthLimit int64
 	VisitorRequestLimitBurst             int
 	VisitorRequestLimitReplenish         time.Duration
-	VisitorRequestExemptIPAddrs          []netip.Prefix
+	VisitorRequestExemptPrefixes         []netip.Prefix
 	VisitorMessageDailyLimit             int
 	VisitorEmailLimitBurst               int
 	VisitorEmailLimitReplenish           time.Duration
@ -143,13 +143,13 @@ type Config struct {
 	VisitorAccountCreationLimitReplenish time.Duration
 	VisitorAuthFailureLimitBurst         int
 	VisitorAuthFailureLimitReplenish     time.Duration
-	VisitorStatsResetTime                time.Time // Time of the day at which to reset visitor stats
-	VisitorSubscriberRateLimiting        bool      // Enable subscriber-based rate limiting for UnifiedPush topics
-	VisitorPrefixBitsIPv4                int       // Number of bits for IPv4 rate limiting (default: 32)
-	VisitorPrefixBitsIPv6                int       // Number of bits for IPv6 rate limiting (default: 64)
-	BehindProxy                          bool      // If true, the server will trust the proxy client IP header to determine the client IP address (IPv4 and IPv6 supported)
-	ProxyForwardedHeader                 string    // The header field to read the real/client IP address from, if BehindProxy is true, defaults to "X-Forwarded-For" (IPv4 and IPv6 supported)
-	ProxyTrustedAddresses                []string  // List of trusted proxy addresses (IPv4 or IPv6) that will be stripped from the Forwarded header if BehindProxy is true
+	VisitorStatsResetTime                time.Time      // Time of the day at which to reset visitor stats
+	VisitorSubscriberRateLimiting        bool           // Enable subscriber-based rate limiting for UnifiedPush topics
+	VisitorPrefixBitsIPv4                int            // Number of bits for IPv4 rate limiting (default: 32)
+	VisitorPrefixBitsIPv6                int            // Number of bits for IPv6 rate limiting (default: 64)
+	BehindProxy                          bool           // If true, the server will trust the proxy client IP header to determine the client IP address (IPv4 and IPv6 supported)
+	ProxyForwardedHeader                 string         // The header field to read the real/client IP address from, if BehindProxy is true, defaults to "X-Forwarded-For" (IPv4 and IPv6 supported)
+	ProxyTrustedPrefixes                 []netip.Prefix // List of trusted proxy networks (IPv4 or IPv6) that will be stripped from the Forwarded header if BehindProxy is true
 	StripeSecretKey                      string
 	StripeWebhookKey                     string
 	StripePriceCacheDuration             time.Duration
@ -159,7 +159,6 @@ type Config struct {
 	EnableReservations                   bool // Allow users with role "user" to own/reserve topics
 	EnableMetrics                        bool
 	AccessControlAllowOrigin             string // CORS header field to restrict access from web clients
-	Version                              string // injected by App
 	WebPushPrivateKey                    string
 	WebPushPublicKey                     string
 	WebPushFile                          string
@ -167,6 +166,7 @@ type Config struct {
 	WebPushStartupQueries                string
 	WebPushExpiryDuration                time.Duration
 	WebPushExpiryWarningDuration         time.Duration
+	Version                              string // injected by App
 }

 // NewConfig instantiates a default new server config
@ -229,7 +229,7 @@ func NewConfig() *Config {
 		VisitorAttachmentDailyBandwidthLimit: DefaultVisitorAttachmentDailyBandwidthLimit,
 		VisitorRequestLimitBurst:             DefaultVisitorRequestLimitBurst,
 		VisitorRequestLimitReplenish:         DefaultVisitorRequestLimitReplenish,
-		VisitorRequestExemptIPAddrs:          make([]netip.Prefix, 0),
+		VisitorRequestExemptPrefixes:         make([]netip.Prefix, 0),
 		VisitorMessageDailyLimit:             DefaultVisitorMessageDailyLimit,
 		VisitorEmailLimitBurst:               DefaultVisitorEmailLimitBurst,
 		VisitorEmailLimitReplenish:           DefaultVisitorEmailLimitReplenish,
--- a/server/server.go
+++ b/server/server.go
@ -760,7 +760,7 @@ func (s *Server) handlePublishInternal(r *http.Request, v *visitor) (*message, e
 		// the subscription as invalid if any 400-499 code (except 429/408) is returned.
 		// See https://github.com/mastodon/mastodon/blob/730bb3e211a84a2f30e3e2bbeae3f77149824a68/app/workers/web/push_notification_worker.rb#L35-L46
 		return nil, errHTTPInsufficientStorageUnifiedPush.With(t)
-	} else if !util.ContainsIP(s.config.VisitorRequestExemptIPAddrs, v.ip) && !vrate.MessageAllowed() {
+	} else if !util.ContainsIP(s.config.VisitorRequestExemptPrefixes, v.ip) && !vrate.MessageAllowed() {
 		return nil, errHTTPTooManyRequestsLimitMessages.With(t)
 	} else if email != "" && !vrate.EmailAllowed() {
 		return nil, errHTTPTooManyRequestsLimitEmails.With(t)
@ -1937,7 +1937,7 @@ func (s *Server) authorizeTopic(next handleFunc, perm user.Permission) handleFun
 // that subsequent logging calls still have a visitor context.
 func (s *Server) maybeAuthenticate(r *http.Request) (*visitor, error) {
 	// Read the "Authorization" header value and exit out early if it's not set
-	ip := extractIPAddress(r, s.config.BehindProxy, s.config.ProxyForwardedHeader, s.config.ProxyTrustedAddresses)
+	ip := extractIPAddress(r, s.config.BehindProxy, s.config.ProxyForwardedHeader, s.config.ProxyTrustedPrefixes)
 	vip := s.visitor(ip, nil)
 	if s.userManager == nil {
 		return vip, nil
@ -2012,7 +2012,7 @@ func (s *Server) authenticateBearerAuth(r *http.Request, token string) (*user.Us
 	if err != nil {
 		return nil, err
 	}
-	ip := extractIPAddress(r, s.config.BehindProxy, s.config.ProxyForwardedHeader, s.config.ProxyTrustedAddresses)
+	ip := extractIPAddress(r, s.config.BehindProxy, s.config.ProxyForwardedHeader, s.config.ProxyTrustedPrefixes)
 	go s.userManager.EnqueueTokenUpdate(token, &user.TokenUpdate{
 		LastAccess: time.Now(),
 		LastOrigin: ip,
--- a/server/server.yml
+++ b/server/server.yml
@ -105,13 +105,13 @@
 #   proxy-forwarded-header. Without this, the remote address of the incoming connection is used.
 # - proxy-forwarded-header is the header to use to identify visitors. It may be a single IP address (e.g. 1.2.3.4),
 #   a comma-separated list of IP addresses (e.g. "1.2.3.4, 5.6.7.8"), or an RFC 7239-style header (e.g. "for=1.2.3.4;by=proxy.example.com, for=5.6.7.8").
-# - proxy-trusted-addresses is a comma-separated list of IP addresses that are removed from the forwarded header
+# - proxy-trusted-hosts is a comma-separated list of IP addresses, hostnames or CIDRs that are removed from the forwarded header
 #   to determine the real IP address. This is only useful if there are multiple proxies involved that add themselves to
 #   the forwarded header.
 #
 # behind-proxy: false
 # proxy-forwarded-header: "X-Forwarded-For"
-# proxy-trusted-addresses:
+# proxy-trusted-hosts:

 # If enabled, clients can attach files to notifications as attachments. Minimum settings to enable attachments
 # are "attachment-cache-dir" and "base-url".
--- a/server/server_middleware.go
+++ b/server/server_middleware.go
@ -16,7 +16,7 @@ const (

 func (s *Server) limitRequests(next handleFunc) handleFunc {
 	return func(w http.ResponseWriter, r *http.Request, v *visitor) error {
-		if util.ContainsIP(s.config.VisitorRequestExemptIPAddrs, v.ip) {
+		if util.ContainsIP(s.config.VisitorRequestExemptPrefixes, v.ip) {
 			return next(w, r, v)
 		} else if !v.RequestAllowed() {
 			return errHTTPTooManyRequestsLimitRequests
@ -40,7 +40,7 @@ func (s *Server) limitRequestsWithTopic(next handleFunc) handleFunc {
 			contextRateVisitor: vrate,
 			contextTopic:       t,
 		})
-		if util.ContainsIP(s.config.VisitorRequestExemptIPAddrs, v.ip) {
+		if util.ContainsIP(s.config.VisitorRequestExemptPrefixes, v.ip) {
 			return next(w, r, v)
 		} else if !vrate.RequestAllowed() {
 			return errHTTPTooManyRequestsLimitRequests
--- a/server/server_test.go
+++ b/server/server_test.go
@ -1225,7 +1225,7 @@ func TestServer_PublishTooManyRequests_IPv6_Slash48(t *testing.T) {
 func TestServer_PublishTooManyRequests_Defaults_ExemptHosts(t *testing.T) {
 	c := newTestConfig(t)
 	c.VisitorRequestLimitBurst = 3
-	c.VisitorRequestExemptIPAddrs = []netip.Prefix{netip.MustParsePrefix("9.9.9.9/32")} // see request()
+	c.VisitorRequestExemptPrefixes = []netip.Prefix{netip.MustParsePrefix("9.9.9.9/32")} // see request()
 	s := newTestServer(t, c)
 	for i := 0; i < 5; i++ { // > 3
 		response := request(t, s, "PUT", "/mytopic", fmt.Sprintf("message %d", i), nil)
@ -1236,7 +1236,7 @@ func TestServer_PublishTooManyRequests_Defaults_ExemptHosts(t *testing.T) {
 func TestServer_PublishTooManyRequests_Defaults_ExemptHosts_IPv6(t *testing.T) {
 	c := newTestConfig(t)
 	c.VisitorRequestLimitBurst = 3
-	c.VisitorRequestExemptIPAddrs = []netip.Prefix{netip.MustParsePrefix("2001:db8:9999::/48")}
+	c.VisitorRequestExemptPrefixes = []netip.Prefix{netip.MustParsePrefix("2001:db8:9999::/48")}
 	s := newTestServer(t, c)
 	overrideRemoteAddr := func(r *http.Request) {
 		r.RemoteAddr = "[2001:db8:9999::1]:1234"
@ -1251,7 +1251,7 @@ func TestServer_PublishTooManyRequests_Defaults_ExemptHosts_MessageDailyLimit(t
 	c := newTestConfig(t)
 	c.VisitorRequestLimitBurst = 10
 	c.VisitorMessageDailyLimit = 4
-	c.VisitorRequestExemptIPAddrs = []netip.Prefix{netip.MustParsePrefix("9.9.9.9/32")} // see request()
+	c.VisitorRequestExemptPrefixes = []netip.Prefix{netip.MustParsePrefix("9.9.9.9/32")} // see request()
 	s := newTestServer(t, c)
 	for i := 0; i < 8; i++ { // 4
 		response := request(t, s, "PUT", "/mytopic", "message", nil)
@ -2318,7 +2318,7 @@ func TestServer_Visitor_Custom_Forwarded_Header(t *testing.T) {
 	c := newTestConfig(t)
 	c.BehindProxy = true
 	c.ProxyForwardedHeader = "Forwarded"
-	c.ProxyTrustedAddresses = []string{"1.2.3.4"}
+	c.ProxyTrustedPrefixes = []netip.Prefix{netip.MustParsePrefix("1.2.3.0/24")}
 	s := newTestServer(t, c)
 	r, _ := http.NewRequest("GET", "/bla", nil)
 	r.RemoteAddr = "8.9.10.11:1234"
@ -2332,7 +2332,7 @@ func TestServer_Visitor_Custom_Forwarded_Header_IPv6(t *testing.T) {
 	c := newTestConfig(t)
 	c.BehindProxy = true
 	c.ProxyForwardedHeader = "Forwarded"
-	c.ProxyTrustedAddresses = []string{"2001:db8:1111::1"}
+	c.ProxyTrustedPrefixes = []netip.Prefix{netip.MustParsePrefix("2001:db8:1111::/64")}
 	s := newTestServer(t, c)
 	r, _ := http.NewRequest("GET", "/bla", nil)
 	r.RemoteAddr = "[2001:db8:2222::1]:1234"
--- a/server/util.go
+++ b/server/util.go
@ -9,7 +9,6 @@ import (
 	"net/http"
 	"net/netip"
 	"regexp"
-	"slices"
 	"strings"

 	"heckel.io/ntfy/v2/util"
@ -84,9 +83,9 @@ func readQueryParam(r *http.Request, names ...string) string {

 // extractIPAddress extracts the IP address of the visitor from the request,
 // either from the TCP socket or from a proxy header.
-func extractIPAddress(r *http.Request, behindProxy bool, proxyForwardedHeader string, proxyTrustedAddresses []string) netip.Addr {
+func extractIPAddress(r *http.Request, behindProxy bool, proxyForwardedHeader string, proxyTrustedPrefixes []netip.Prefix) netip.Addr {
 	if behindProxy && proxyForwardedHeader != "" {
-		if addr, err := extractIPAddressFromHeader(r, proxyForwardedHeader, proxyTrustedAddresses); err == nil {
+		if addr, err := extractIPAddressFromHeader(r, proxyForwardedHeader, proxyTrustedPrefixes); err == nil {
 			return addr
 		}
 		// Fall back to the remote address if the header is not found or invalid
@ -109,7 +108,7 @@ func extractIPAddress(r *http.Request, behindProxy bool, proxyForwardedHeader st
 // If there are multiple addresses, we first remove the trusted IP addresses from the list, and
 // then take the right-most address in the list (as this is the one added by our proxy server).
 // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For for details.
-func extractIPAddressFromHeader(r *http.Request, forwardedHeader string, trustedAddresses []string) (netip.Addr, error) {
+func extractIPAddressFromHeader(r *http.Request, forwardedHeader string, trustedPrefixes []netip.Prefix) (netip.Addr, error) {
 	value := strings.TrimSpace(strings.ToLower(r.Header.Get(forwardedHeader)))
 	if value == "" {
 		return netip.IPv4Unspecified(), fmt.Errorf("no %s header found", forwardedHeader)
@ -133,7 +132,12 @@ func extractIPAddressFromHeader(r *http.Request, forwardedHeader string, trusted
 	}
 	// Filter out proxy addresses
 	clientAddrs := util.Filter(validAddrs, func(addr netip.Addr) bool {
-		return !slices.Contains(trustedAddresses, addr.String())
+		for _, prefix := range trustedPrefixes {
+			if prefix.Contains(addr) {
+				return false // Address is in the trusted range, ignore it
+			}
+		}
+		return true
 	})
 	if len(clientAddrs) == 0 {
 		return netip.IPv4Unspecified(), fmt.Errorf("no client IP address found in %s header: %s", forwardedHeader, value)
--- a/server/util_test.go
+++ b/server/util_test.go
@ -100,7 +100,7 @@ func TestExtractIPAddress(t *testing.T) {
 	r.Header.Set("X-Real-IP", "13.14.15.16, 1.1.1.1")
 	r.Header.Set("Forwarded", "for=17.18.19.20;by=proxy.example.com, by=2.2.2.2;for=1.1.1.1")

-	trustedProxies := []string{"1.1.1.1"}
+	trustedProxies := []netip.Prefix{netip.MustParsePrefix("1.1.1.1/32")}

 	require.Equal(t, "5.6.7.8", extractIPAddress(r, true, "X-Forwarded-For", trustedProxies).String())
 	require.Equal(t, "9.10.11.12", extractIPAddress(r, true, "X-Client-IP", trustedProxies).String())
@ -115,7 +115,7 @@ func TestExtractIPAddress_UnixSocket(t *testing.T) {
 	r.Header.Set("X-Forwarded-For", "1.2.3.4, 5.6.7.8, 1.1.1.1")
 	r.Header.Set("Forwarded", "by=bla.example.com;for=17.18.19.20")

-	trustedProxies := []string{"1.1.1.1"}
+	trustedProxies := []netip.Prefix{netip.MustParsePrefix("1.1.1.1/32")}

 	require.Equal(t, "5.6.7.8", extractIPAddress(r, true, "X-Forwarded-For", trustedProxies).String())
 	require.Equal(t, "17.18.19.20", extractIPAddress(r, true, "Forwarded", trustedProxies).String())
@ -126,26 +126,18 @@ func TestExtractIPAddress_MixedIPv4IPv6(t *testing.T) {
 	r, _ := http.NewRequest("GET", "http://ntfy.sh/mytopic/json?since=all", nil)
 	r.RemoteAddr = "[2001:db8:abcd::1]:1234"
 	r.Header.Set("X-Forwarded-For", "1.2.3.4, 2001:db8:abcd::2, 5.6.7.8")
-	trustedProxies := []string{"1.2.3.4"}
+	trustedProxies := []netip.Prefix{netip.MustParsePrefix("1.2.3.0/24")}
 	require.Equal(t, "5.6.7.8", extractIPAddress(r, true, "X-Forwarded-For", trustedProxies).String())
 }

 func TestExtractIPAddress_TrustedIPv6Prefix(t *testing.T) {
 	r, _ := http.NewRequest("GET", "http://ntfy.sh/mytopic/json?since=all", nil)
 	r.RemoteAddr = "[2001:db8:abcd::1]:1234"
-	r.Header.Set("X-Forwarded-For", "2001:db8:abcd::1, 2001:db8:abcd:1::2, 2001:db8:abcd:2::3")
-	trustedProxies := []string{"2001:db8:abcd::/48"}
+	r.Header.Set("X-Forwarded-For", "2001:db8:aaaa::1, 2001:db8:aaaa::2, 2001:db8:abcd:2::3")
+	trustedProxies := []netip.Prefix{netip.MustParsePrefix("2001:db8:aaaa::/48")}
 	require.Equal(t, "2001:db8:abcd:2::3", extractIPAddress(r, true, "X-Forwarded-For", trustedProxies).String())
 }

-func TestExtractIPAddress_EdgeCases(t *testing.T) {
-	r, _ := http.NewRequest("GET", "http://ntfy.sh/mytopic/json?since=all", nil)
-	r.RemoteAddr = "[::ffff:192.0.2.128]:1234" // IPv4-mapped IPv6
-	r.Header.Set("X-Forwarded-For", "::ffff:192.0.2.128, 2001:db8:abcd::1")
-	trustedProxies := []string{"::ffff:192.0.2.128"}
-	require.Equal(t, "2001:db8:abcd::1", extractIPAddress(r, true, "X-Forwarded-For", trustedProxies).String())
-}
-
 func TestVisitorID(t *testing.T) {
 	confWithDefaults := &Config{
 		VisitorPrefixBitsIPv4: 32,