Skip to content

Commit

Permalink
Honor HTTP header 'X-Real-IP' when available
Browse files Browse the repository at this point in the history
And because X-Real-IP can be spoofed, gate this feature with TRUST_X_REAL_IP
environment variable.

Fix tmate-io#5.
  • Loading branch information
pini-gh committed Jan 22, 2023
1 parent d95a4b7 commit c9cd625
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 1 deletion.
3 changes: 2 additions & 1 deletion config/prod.exs
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,8 @@ config :tmate, :websocket, Keyword.merge(websocket_ranch_opts,
cowboy_opts: %{
compress: true,
proxy_header: System.get_env("USE_PROXY_PROTOCOL") == "1"},
base_url: System.get_env("WEBSOCKET_BASE_URL")
base_url: System.get_env("WEBSOCKET_BASE_URL"),
trust_x_real_ip: System.get_env("TRUST_X_REAL_IP") == "1"
)

config :tzdata, :autoupdate, :disabled
Expand Down
4 changes: 4 additions & 0 deletions lib/tmate/ws_api/websocket.ex
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,12 @@ defmodule Tmate.WsApi.WebSocket do
{mode, session} ->
case Tmate.Session.ws_verify_auth(session) do
:ok ->
trust_x_real_ip = Application.get_env(:tmate, :websocket)[:trust_x_real_ip]
ip = case req do
%{proxy_header: %{src_address: ip}} -> ip
%{headers: %{"x-real-ip" => ipstring}} when trust_x_real_ip ->
{_, ip} = :inet.parse_address(ipstring |> to_charlist)
ip
%{peer: {ip, _port}} -> ip
end
ip = :inet_parse.ntoa(ip) |> to_string
Expand Down

0 comments on commit c9cd625

Please sign in to comment.