diff --git a/cmd/webserver/ipranges.go b/cmd/webserver/ipranges.go new file mode 100644 index 0000000..669328a --- /dev/null +++ b/cmd/webserver/ipranges.go @@ -0,0 +1,20 @@ +package main + +var IpRanges = []string{ + // Cloudflare: + "173.245.48.0/20", + "103.21.244.0/22", + "103.22.200.0/22", + "103.31.4.0/22", + "141.101.64.0/18", + "108.162.192.0/18", + "190.93.240.0/20", + "188.114.96.0/20", + "197.234.240.0/22", + "198.41.128.0/17", + "162.158.0.0/15", + "104.16.0.0/13", + "104.24.0.0/14", + "172.64.0.0/13", + "131.0.72.0/22", +} diff --git a/cmd/webserver/webserver.go b/cmd/webserver/webserver.go index 56f23fd..75f3a8d 100644 --- a/cmd/webserver/webserver.go +++ b/cmd/webserver/webserver.go @@ -11,9 +11,11 @@ import ( "github.com/labstack/gommon/log" "github.com/nats-io/nats.go" "golang.org/x/time/rate" + "net" "net/http" "os" "os/signal" + "slices" "time" ) @@ -50,6 +52,16 @@ func main() { e.Use(middleware.Logger()) e.Use(middleware.Recover()) + var trustOptions []echo.TrustOption + for _, ipRange := range slices.Concat(IpRanges, cfg.TrustedIpRanges) { + _, network, err := net.ParseCIDR(ipRange) + if err != nil { + log.Panicf("Invalid ip range: %s", ipRange) + } + trustOptions = append(trustOptions, echo.TrustIPRange(network)) + } + e.IPExtractor = echo.ExtractIPFromXFFHeader(trustOptions...) + e.StaticFS("/", echo.MustSubFS(wizard_vue.EmbedFS, wizard_vue.FSPrefix)) apiHandler := httpApi.New( diff --git a/internal/config/config.go b/internal/config/config.go index d14e3db..ca8f803 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -21,6 +21,8 @@ type Config struct { // Rate limits don't apply to cache RateLimitEvery float64 `env:"RATE_LIMIT_EVERY" env-default:"60" validate:"number,gt=0"` RateLimitBurst int `env:"RATE_LIMIT_BURST" env-default:"10" validate:"number,gte=0"` + // IP ranges of reverse proxies for correct real ip detection (cidr format, sep. by comma) + TrustedIpRanges []string `env:"TRUSTED_IP_RANGES" env-default:"" validate:"omitempty,dive,cidr"` } func Read() (Config, error) {