Change to "proxy-forwarded-header" and add "proxy-trusted-addrs"

2025-07-20 10:04:08 +00:00 · 2025-05-31 22:39:18 -04:00 · 2025-05-31 22:39:18 -04:00 · 849884c947
commit 849884c947
parent 2cb4d089ab
12 changed files with 482 additions and 280 deletions
--- a/server/server_test.go
+++ b/server/server_test.go
@ -2200,7 +2200,7 @@ func TestServer_Visitor_XForwardedFor_None(t *testing.T) {
 	c.BehindProxy = true
 	s := newTestServer(t, c)
 	r, _ := http.NewRequest("GET", "/bla", nil)
-	r.RemoteAddr = "8.9.10.11"
+	r.RemoteAddr = "8.9.10.11:1234"
 	r.Header.Set("X-Forwarded-For", "  ") // Spaces, not empty!
 	v, err := s.maybeAuthenticate(r)
 	require.Nil(t, err)
@ -2212,7 +2212,7 @@ func TestServer_Visitor_XForwardedFor_Single(t *testing.T) {
 	c.BehindProxy = true
 	s := newTestServer(t, c)
 	r, _ := http.NewRequest("GET", "/bla", nil)
-	r.RemoteAddr = "8.9.10.11"
+	r.RemoteAddr = "8.9.10.11:1234"
 	r.Header.Set("X-Forwarded-For", "1.1.1.1")
 	v, err := s.maybeAuthenticate(r)
 	require.Nil(t, err)
@ -2224,7 +2224,7 @@ func TestServer_Visitor_XForwardedFor_Multiple(t *testing.T) {
 	c.BehindProxy = true
 	s := newTestServer(t, c)
 	r, _ := http.NewRequest("GET", "/bla", nil)
-	r.RemoteAddr = "8.9.10.11"
+	r.RemoteAddr = "8.9.10.11:1234"
 	r.Header.Set("X-Forwarded-For", "1.2.3.4 , 2.4.4.2,234.5.2.1 ")
 	v, err := s.maybeAuthenticate(r)
 	require.Nil(t, err)
@ -2237,7 +2237,7 @@ func TestServer_Visitor_Custom_ClientIP_Header(t *testing.T) {
 	c.ProxyForwardedHeader = "X-Client-IP"
 	s := newTestServer(t, c)
 	r, _ := http.NewRequest("GET", "/bla", nil)
-	r.RemoteAddr = "8.9.10.11"
+	r.RemoteAddr = "8.9.10.11:1234"
 	r.Header.Set("X-Client-IP", "1.2.3.4")
 	v, err := s.maybeAuthenticate(r)
 	require.Nil(t, err)
@ -2333,7 +2333,7 @@ func TestServer_SubscriberRateLimiting_Success(t *testing.T) {

 	// "Register" visitor 1.2.3.4 to topic "upAAAAAAAAAAAA" as a rate limit visitor
 	subscriber1Fn := func(r *http.Request) {
-		r.RemoteAddr = "1.2.3.4"
+		r.RemoteAddr = "1.2.3.4:1234"
 	}
 	rr := request(t, s, "GET", "/upAAAAAAAAAAAA/json?poll=1", "", nil, subscriber1Fn)
 	require.Equal(t, 200, rr.Code)
@ -2342,7 +2342,7 @@ func TestServer_SubscriberRateLimiting_Success(t *testing.T) {

 	// "Register" visitor 8.7.7.1 to topic "up012345678912" as a rate limit visitor (implicitly via topic name)
 	subscriber2Fn := func(r *http.Request) {
-		r.RemoteAddr = "8.7.7.1"
+		r.RemoteAddr = "8.7.7.1:1234"
 	}
 	rr = request(t, s, "GET", "/up012345678912/json?poll=1", "", nil, subscriber2Fn)
 	require.Equal(t, 200, rr.Code)
@ -2385,7 +2385,7 @@ func TestServer_SubscriberRateLimiting_NotWrongTopic(t *testing.T) {
 	s := newTestServer(t, c)

 	subscriberFn := func(r *http.Request) {
-		r.RemoteAddr = "1.2.3.4"
+		r.RemoteAddr = "1.2.3.4:1234"
 	}
 	rr := request(t, s, "GET", "/alerts,upAAAAAAAAAAAA,upBBBBBBBBBBBB/json?poll=1", "", nil, subscriberFn)
 	require.Equal(t, 200, rr.Code)
@ -2405,7 +2405,7 @@ func TestServer_SubscriberRateLimiting_NotEnabled_Failed(t *testing.T) {

 	// Registering visitor 1.2.3.4 to topic has no effect
 	rr := request(t, s, "GET", "/upAAAAAAAAAAAA/json?poll=1", "", nil, func(r *http.Request) {
-		r.RemoteAddr = "1.2.3.4"
+		r.RemoteAddr = "1.2.3.4:1234"
 	})
 	require.Equal(t, 200, rr.Code)
 	require.Equal(t, "", rr.Body.String())
@ -2413,7 +2413,7 @@ func TestServer_SubscriberRateLimiting_NotEnabled_Failed(t *testing.T) {

 	// Registering visitor 8.7.7.1 to topic has no effect
 	rr = request(t, s, "GET", "/up012345678912/json?poll=1", "", nil, func(r *http.Request) {
-		r.RemoteAddr = "8.7.7.1"
+		r.RemoteAddr = "8.7.7.1:1234"
 	})
 	require.Equal(t, 200, rr.Code)
 	require.Equal(t, "", rr.Body.String())
@ -2439,7 +2439,7 @@ func TestServer_SubscriberRateLimiting_UP_Only(t *testing.T) {
 	// "Register" 5 different UnifiedPush visitors
 	for i := 0; i < 5; i++ {
 		subscriberFn := func(r *http.Request) {
-			r.RemoteAddr = fmt.Sprintf("1.2.3.%d", i+1)
+			r.RemoteAddr = fmt.Sprintf("1.2.3.%d:1234", i+1)
 		}
 		rr := request(t, s, "GET", fmt.Sprintf("/up12345678901%d/json?poll=1", i), "", nil, subscriberFn)
 		require.Equal(t, 200, rr.Code)
@ -2463,7 +2463,7 @@ func TestServer_Matrix_SubscriberRateLimiting_UP_Only(t *testing.T) {
 	// "Register" 5 different UnifiedPush visitors
 	for i := 0; i < 5; i++ {
 		rr := request(t, s, "GET", fmt.Sprintf("/up12345678901%d/json?poll=1", i), "", nil, func(r *http.Request) {
-			r.RemoteAddr = fmt.Sprintf("1.2.3.%d", i+1)
+			r.RemoteAddr = fmt.Sprintf("1.2.3.%d:1234", i+1)
 		})
 		require.Equal(t, 200, rr.Code)
 	}
@ -2490,7 +2490,7 @@ func TestServer_SubscriberRateLimiting_VisitorExpiration(t *testing.T) {

 	// "Register" rate visitor
 	subscriberFn := func(r *http.Request) {
-		r.RemoteAddr = "1.2.3.4"
+		r.RemoteAddr = "1.2.3.4:1234"
 	}
 	rr := request(t, s, "GET", "/upAAAAAAAAAAAA/json?poll=1", "", nil, subscriberFn)
 	require.Equal(t, 200, rr.Code)
@ -2529,7 +2529,7 @@ func TestServer_SubscriberRateLimiting_ProtectedTopics_WithDefaultReadWrite(t *t
 	// - "up123456789012": Allowed, because no ACLs and nobody owns the topic
 	// - "announcements": NOT allowed, because it has read-only permissions for everyone
 	rr := request(t, s, "GET", "/up123456789012,announcements/json?poll=1", "", nil, func(r *http.Request) {
-		r.RemoteAddr = "1.2.3.4"
+		r.RemoteAddr = "1.2.3.4:1234"
 	})
 	require.Equal(t, 200, rr.Code)
 	require.Equal(t, "1.2.3.4", s.topics["up123456789012"].rateVisitor.ip.String())
@ -2971,7 +2971,7 @@ func request(t *testing.T, s *Server, method, url, body string, headers map[stri
 	if err != nil {
 		t.Fatal(err)
 	}
-	r.RemoteAddr = "9.9.9.9" // Used for tests
+	r.RemoteAddr = "9.9.9.9:1234" // Used for tests
 	for k, v := range headers {
 		r.Header.Set(k, v)
 	}