Mercurial > prosody-modules
comparison mod_net_proxy/mod_net_proxy.lua @ 2963:504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
author | Pascal Mathis <mail@pascalmathis.com> |
---|---|
date | Wed, 28 Mar 2018 20:47:41 +0200 |
parents | 6b01600b9c02 |
children | 7eb6fa9b03fd |
comparison
equal
deleted
inserted
replaced
2962:6b01600b9c02 | 2963:504bb330e910 |
---|---|
65 PROXYv1 = { signature = hex.from("50524F5859"), callback = nil }, | 65 PROXYv1 = { signature = hex.from("50524F5859"), callback = nil }, |
66 PROXYv2 = { signature = hex.from("0D0A0D0A000D0A515549540A"), callback = nil } | 66 PROXYv2 = { signature = hex.from("0D0A0D0A000D0A515549540A"), callback = nil } |
67 }; | 67 }; |
68 local PROTO_HANDLER_STATUS = { SUCCESS = 0, POSTPONE = 1, FAILURE = 2 }; | 68 local PROTO_HANDLER_STATUS = { SUCCESS = 0, POSTPONE = 1, FAILURE = 2 }; |
69 | 69 |
70 -- Configuration Variables | |
71 local config_mappings = module:get_option("proxy_port_mappings", {}); | |
72 local config_ports = module:get_option_set("proxy_ports", {}); | |
73 local config_trusted_proxies = module:get_option_set("proxy_trusted_proxies", {"127.0.0.1", "::1"}); | |
74 | |
70 -- Persistent In-Memory Storage | 75 -- Persistent In-Memory Storage |
71 local sessions = {}; | 76 local sessions = {}; |
72 local mappings = {}; | 77 local mappings = {}; |
78 local trusted_networks = set.new(); | |
73 | 79 |
74 -- Proxy Data Methods | 80 -- Proxy Data Methods |
75 local proxy_data_mt = {}; proxy_data_mt.__index = proxy_data_mt; | 81 local proxy_data_mt = {}; proxy_data_mt.__index = proxy_data_mt; |
76 | 82 |
77 function proxy_data_mt:describe() | 83 function proxy_data_mt:describe() |
312 service_listener.onconnect(conn); | 318 service_listener.onconnect(conn); |
313 end | 319 end |
314 return service_listener.onincoming(conn, session.buffer); | 320 return service_listener.onincoming(conn, session.buffer); |
315 end | 321 end |
316 | 322 |
323 local function is_trusted_proxy(conn) | |
324 -- If no trusted proxies were configured, trust any incoming connection | |
325 -- While this may seem insecure, the module defaults to only trusting 127.0.0.1 and ::1 | |
326 if trusted_networks:empty() then | |
327 return true; | |
328 end | |
329 | |
330 -- Iterate through all trusted proxies and check for match against connected IP address | |
331 local conn_ip = ip.new_ip(conn:ip()); | |
332 for trusted_network in trusted_networks:items() do | |
333 if ip.match(trusted_network.ip, conn_ip, trusted_network.cidr) then | |
334 return true; | |
335 end | |
336 end | |
337 | |
338 -- Connection does not match any trusted proxy | |
339 return false; | |
340 end | |
341 | |
317 -- Network Listener Methods | 342 -- Network Listener Methods |
318 local listener = {}; | 343 local listener = {}; |
319 | 344 |
320 function listener.onconnect(conn) | 345 function listener.onconnect(conn) |
346 -- Check if connection is coming from a trusted proxy | |
347 if not is_trusted_proxy(conn) then | |
348 conn:close(); | |
349 module:log("warn", "Dropped connection from untrusted proxy: %s", conn:ip()); | |
350 return; | |
351 end | |
352 | |
353 -- Initialize session variables | |
321 sessions[conn] = { | 354 sessions[conn] = { |
322 handler = nil; | 355 handler = nil; |
323 buffer = nil; | 356 buffer = nil; |
324 }; | 357 }; |
325 end | 358 end |
386 sessions[conn] = nil; | 419 sessions[conn] = nil; |
387 end | 420 end |
388 | 421 |
389 listener.ondetach = listener.ondisconnect; | 422 listener.ondetach = listener.ondisconnect; |
390 | 423 |
424 -- Parse trusted proxies which can either contain single hosts or networks | |
425 if not config_trusted_proxies:empty() then | |
426 for trusted_proxy in config_trusted_proxies:items() do | |
427 local network = {}; | |
428 network.ip, network.cidr = ip.parse_cidr(trusted_proxy); | |
429 trusted_networks:add(network); | |
430 end | |
431 else | |
432 module:log("warn", "No trusted proxies configured, all connections will be accepted - this might be dangerous"); | |
433 end | |
434 | |
391 -- Process all configured port mappings and generate a list of mapped ports | 435 -- Process all configured port mappings and generate a list of mapped ports |
392 local mapped_ports = {}; | 436 local mapped_ports = {}; |
393 local config_mappings = module:get_option("proxy_port_mappings", {}); | |
394 for port, mapping in pairs(config_mappings) do | 437 for port, mapping in pairs(config_mappings) do |
395 table.insert(mapped_ports, port); | 438 table.insert(mapped_ports, port); |
396 mappings[port] = { | 439 mappings[port] = { |
397 service_name = mapping, | 440 service_name = mapping, |
398 service = nil, | 441 service = nil, |
399 }; | 442 }; |
400 end | 443 end |
401 | 444 |
402 -- Log error message when user manually specifies ports without configuring the necessary port mappings | 445 -- Log error message when user manually specifies ports without configuring the necessary port mappings |
403 local config_ports = module:get_option_set("proxy_ports", {}); | |
404 if not config_ports:empty() then | 446 if not config_ports:empty() then |
405 local missing_ports = config_ports - set.new(mapped_ports); | 447 local missing_ports = config_ports - set.new(mapped_ports); |
406 if not missing_ports:empty() then | 448 if not missing_ports:empty() then |
407 module:log("error", "Missing port<>service mappings for these ports: %s", tostring(missing_ports)); | 449 module:log("error", "Missing port<>service mappings for these ports: %s", tostring(missing_ports)); |
408 end | 450 end |