feat: Support x-forwarded-for headers for IPs (#4684)

* feat: Support x-forwarded-for headers for IPs Fixes #4430. * Fix realip accepting headers * Fix unused headers
2025-07-15 22:20:27 +00:00 · 2022-10-23 13:21:49 -05:00
parent 795ed3dc97
commit f75a54cd1e
15 changed files with 946 additions and 23 deletions
--- a/coderd/workspaceapps_test.go
+++ b/coderd/workspaceapps_test.go
@ -21,6 +21,7 @@ import (
 	"github.com/coder/coder/agent"
 	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/coderd/httpmw"
 	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/provisioner/echo"
@ -85,6 +86,7 @@ func setupProxyTest(t *testing.T, customAppHost ...string) (*codersdk.Client, co
 		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			_, err := r.Cookie(codersdk.SessionTokenKey)
 			assert.ErrorIs(t, err, http.ErrNoCookie)
+			w.Header().Set("X-Forwarded-For", r.Header.Get("X-Forwarded-For"))
 			w.WriteHeader(http.StatusOK)
 			_, _ = w.Write([]byte(proxyTestAppBody))
 		}),
@ -107,6 +109,15 @@ func setupProxyTest(t *testing.T, customAppHost ...string) (*codersdk.Client, co
 		IncludeProvisionerDaemon:    true,
 		AgentStatsRefreshInterval:   time.Millisecond * 100,
 		MetricsCacheRefreshInterval: time.Millisecond * 100,
+		RealIPConfig: &httpmw.RealIPConfig{
+			TrustedOrigins: []*net.IPNet{{
+				IP:   net.ParseIP("127.0.0.1"),
+				Mask: net.CIDRMask(8, 32),
+			}},
+			TrustedHeaders: []string{
+				"CF-Connecting-IP",
+			},
+		},
 	})
 	user := coderdtest.CreateFirstUser(t, client)

@ -280,6 +291,24 @@ func TestWorkspaceAppsProxyPath(t *testing.T) {
 		require.Equal(t, http.StatusOK, resp.StatusCode)
 	})

+	t.Run("ForwardsIP", func(t *testing.T) {
+		t.Parallel()
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		resp, err := client.Request(ctx, http.MethodGet, fmt.Sprintf("/@me/%s/apps/%s/?%s", workspace.Name, proxyTestAppNameOwner, proxyTestAppQuery), nil, func(r *http.Request) {
+			r.Header.Set("Cf-Connecting-IP", "1.1.1.1")
+		})
+		require.NoError(t, err)
+		defer resp.Body.Close()
+		body, err := io.ReadAll(resp.Body)
+		require.NoError(t, err)
+		require.Equal(t, proxyTestAppBody, string(body))
+		require.Equal(t, http.StatusOK, resp.StatusCode)
+		require.Equal(t, "1.1.1.1,127.0.0.1", resp.Header.Get("X-Forwarded-For"))
+	})
+
 	t.Run("ProxyError", func(t *testing.T) {
 		t.Parallel()