From 2a30d30d0a03fa699ba902df4ce376df92ddb36a Mon Sep 17 00:00:00 2001 From: calzoneman Date: Tue, 10 Sep 2013 16:11:35 -0500 Subject: [PATCH] Trust X-Forwarded-For from 127.0.0.1 --- changelog | 4 ++++ lib/api.js | 2 +- lib/server.js | 4 ++-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/changelog b/changelog index c49bf5d3..0f96884a 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,7 @@ +Tue Sep 10 16:10 2013 CDT + * lib/server.js, lib/api.js: Implicitly trust X-Forwarded-For when the + source ip is 127.0.0.1 + Tue Sep 10 14:09 2013 CDT * lib/config.js, lib/server.js: Add a config key for the passphrase to the ssl key. diff --git a/lib/api.js b/lib/api.js index c461eca8..077ef1e3 100644 --- a/lib/api.js +++ b/lib/api.js @@ -19,7 +19,7 @@ module.exports = function (Server) { function getIP(req) { var raw = req.connection.remoteAddress; var forward = req.header("x-forwarded-for"); - if(Server.cfg["trust-x-forward"] && forward) { + if((Server.cfg["trust-x-forward"] || raw === "127.0.0.1") && forward) { var ip = forward.split(",")[0]; Logger.syslog.log("REVPROXY " + raw + " => " + ip); return ip; diff --git a/lib/server.js b/lib/server.js index 3a44f1b1..f1680ee3 100644 --- a/lib/server.js +++ b/lib/server.js @@ -13,7 +13,7 @@ const VERSION = "2.4.2"; function getIP(req) { var raw = req.connection.remoteAddress; var forward = req.header("x-forwarded-for"); - if(Server.cfg["trust-x-forward"] && forward) { + if((Server.cfg["trust-x-forward"] || raw === "127.0.0.1") && forward) { var ip = forward.split(",")[0]; Logger.syslog.log("REVPROXY " + raw + " => " + ip); return ip; @@ -23,7 +23,7 @@ function getIP(req) { function getSocketIP(socket) { var raw = socket.handshake.address.address; - if(Server.cfg["trust-x-forward"]) { + if(Server.cfg["trust-x-forward"] || raw === "127.0.0.1") { if(typeof socket.handshake.headers["x-forwarded-for"] == "string") { var ip = socket.handshake.headers["x-forwarded-for"] .split(",")[0];