From 70fb830dca26bea7ced772ce5d834a3e88ae7f53 Mon Sep 17 00:00:00 2001 From: Boshi Lian Date: Thu, 9 May 2024 13:53:36 -0700 Subject: [PATCH] Merge pull request from GHSA-4w53-6jvp-gg52 * feat: Add support for allowed proxy addresses This commit adds support for allowed proxy addresses, which allows only connections from these IP ranges to send a proxy header based on the PROXY protocol. If the allowed proxy addresses are empty, the PROXY protocol support is disabled. * Update cmd/sshpiperd/main.go Co-authored-by: Peter G <97112726+pgibson1-godaddy@users.noreply.github.com> --------- Co-authored-by: Peter G <97112726+pgibson1-godaddy@users.noreply.github.com> --- cmd/sshpiperd/main.go | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/cmd/sshpiperd/main.go b/cmd/sshpiperd/main.go index 02633f725..c5eb0e23b 100644 --- a/cmd/sshpiperd/main.go +++ b/cmd/sshpiperd/main.go @@ -160,6 +160,11 @@ func main() { Usage: "filter out hostkeys-00@openssh.com which cause client side warnings", EnvVars: []string{"SSHPIPERD_DROP_HOSTKEYS_MESSAGE"}, }, + &cli.StringSliceFlag{ + Name: "allowed-proxy-addresses", + Value: cli.NewStringSlice(), + Usage: "allowed proxy addresses, only connections from these ip ranges are allowed to send a proxy header based on the PROXY protocol, empty will disable the PROXY protocol support", + }, }, Action: func(ctx *cli.Context) error { level, err := log.ParseLevel(ctx.String("log-level")) @@ -185,7 +190,17 @@ func main() { } quit := make(chan error) - d.lis = &proxyproto.Listener{Listener: d.lis} + + allowedproxyaddresses := ctx.StringSlice("allowed-proxy-addresses") + + if len(allowedproxyaddresses) > 0 { + proxypolicy, err := proxyproto.LaxWhiteListPolicy(allowedproxyaddresses) + if err != nil { + return err + } + + d.lis = &proxyproto.Listener{Listener: d.lis, Policy: proxypolicy} + } var plugins []*plugin.GrpcPlugin