shlinkio/shlink
1
0
Fork 0
mirror of https://github.com/shlinkio/shlink.git synced 2025-12-10 11:05:50 -06:00
Code Issues Packages Projects Releases 146 Wiki Activity

Allow trusted proxies to be provided via TRUSTED_PROXIES env var

Browse Source
This commit is contained in:
Alejandro Celaya 2025-07-17 09:57:34 +02:00
parent 650fafb7c4
commit 1f825797f6
3 changed files with 44 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
config/autoload/ip-address.global.php
View File

@ -2,51 +2,56 @@
declare(strict_types=1);
use Psr\Container\ContainerInterface;
use RKA\Middleware\IpAddress;
use RKA\Middleware\Mezzio\IpAddressFactory;
use Shlinkio\Shlink\Core\Config\EnvVars;
use Shlinkio\Shlink\Core\Middleware\ReverseForwardedAddressesMiddlewareDecorator;
use function Shlinkio\Shlink\Core\splitByComma;
use const Shlinkio\Shlink\IP_ADDRESS_REQUEST_ATTRIBUTE;
return [
return (static function (): array {
$trustedProxies = EnvVars::TRUSTED_PROXIES->loadFromEnv();
// Configuration for RKA\Middleware\IpAddress
'rka' => [
'ip_address' => [
'attribute_name' => IP_ADDRESS_REQUEST_ATTRIBUTE,
'check_proxy_headers' => true,
'trusted_proxies' => [],
'headers_to_inspect' => [
'CF-Connecting-IP',
'X-Forwarded-For',
'X-Forwarded',
'Forwarded',
'True-Client-IP',
'X-Real-IP',
'X-Cluster-Client-Ip',
'Client-Ip',
],
],
],
return [
'dependencies' => [
'factories' => [
IpAddress::class => IpAddressFactory::class,
],
'delegators' => [
// Make middleware decoration transparent to other parts of the code
IpAddress::class => [
function (
ContainerInterface $container,
string $name,
callable $callback
): ReverseForwardedAddressesMiddlewareDecorator {
return new ReverseForwardedAddressesMiddlewareDecorator($callback());
},
// Configuration for RKA\Middleware\IpAddress
'rka' => [
'ip_address' => [
'attribute_name' => IP_ADDRESS_REQUEST_ATTRIBUTE,
'check_proxy_headers' => true,
'trusted_proxies' => splitByComma($trustedProxies),
'headers_to_inspect' => [
'CF-Connecting-IP',
'X-Forwarded-For',
'X-Forwarded',
'Forwarded',
'True-Client-IP',
'X-Real-IP',
'X-Cluster-Client-Ip',
'Client-Ip',
],
],
],
],
'dependencies' => [
'factories' => [
IpAddress::class => IpAddressFactory::class,
],
'delegators' => [
// Make middleware decoration transparent to other parts of the code
IpAddress::class => [
fn ($c, $n, callable $callback) =>
// If trusted proxies have been provided, use original middleware verbatim, otherwise decorate
// with workaround
$trustedProxies !== null
? $callback()
: new ReverseForwardedAddressesMiddlewareDecorator($callback()),
],
],
];
],
];
})();

1
module/Core/src/Config/EnvVars.php
View File

@ -89,6 +89,7 @@ enum EnvVars: string
case CORS_ALLOW_ORIGIN = 'CORS_ALLOW_ORIGIN';
case CORS_ALLOW_CREDENTIALS = 'CORS_ALLOW_CREDENTIALS';
case CORS_MAX_AGE = 'CORS_MAX_AGE';
case TRUSTED_PROXIES = 'TRUSTED_PROXIES';
/** @deprecated Use REDIRECT_EXTRA_PATH */
case REDIRECT_APPEND_EXTRA_PATH = 'REDIRECT_APPEND_EXTRA_PATH';

2
module/Core/src/Middleware/ReverseForwardedAddressesMiddlewareDecorator.php
View File

@ -26,6 +26,8 @@ use function implode;
* if trusted proxies are not set.
*
* @see https://github.com/akrabat/ip-address-middleware/pull/51
* @deprecated Remove in future major version, and enforce users with multiple reverse proxies to provide the list via
* TRUSTED_PROXIES
*/
readonly class ReverseForwardedAddressesMiddlewareDecorator implements MiddlewareInterface
{