Skip to content

Commit

Permalink
Merge pull request from GHSA-4w53-6jvp-gg52
Browse files Browse the repository at this point in the history
* feat: Add support for allowed proxy addresses

This commit adds support for allowed proxy addresses, which allows only connections from these IP ranges to send a proxy header based on the PROXY protocol. If the allowed proxy addresses are empty, the PROXY protocol support is disabled.

* Update cmd/sshpiperd/main.go

Co-authored-by: Peter G <97112726+pgibson1-godaddy@users.noreply.github.com>

---------

Co-authored-by: Peter G <97112726+pgibson1-godaddy@users.noreply.github.com>
  • Loading branch information
tg123 and pgibson1-godaddy authored May 9, 2024
1 parent eff7d1a commit 70fb830
Showing 1 changed file with 16 additions and 1 deletion.
17 changes: 16 additions & 1 deletion cmd/sshpiperd/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,11 @@ func main() {
Usage: "filter out hostkeys-00@openssh.com which cause client side warnings",
EnvVars: []string{"SSHPIPERD_DROP_HOSTKEYS_MESSAGE"},
},
&cli.StringSliceFlag{
Name: "allowed-proxy-addresses",
Value: cli.NewStringSlice(),
Usage: "allowed proxy addresses, only connections from these ip ranges are allowed to send a proxy header based on the PROXY protocol, empty will disable the PROXY protocol support",
},
},
Action: func(ctx *cli.Context) error {
level, err := log.ParseLevel(ctx.String("log-level"))
Expand All @@ -185,7 +190,17 @@ func main() {
}

quit := make(chan error)
d.lis = &proxyproto.Listener{Listener: d.lis}

allowedproxyaddresses := ctx.StringSlice("allowed-proxy-addresses")

if len(allowedproxyaddresses) > 0 {
proxypolicy, err := proxyproto.LaxWhiteListPolicy(allowedproxyaddresses)
if err != nil {
return err
}

d.lis = &proxyproto.Listener{Listener: d.lis, Policy: proxypolicy}
}

var plugins []*plugin.GrpcPlugin

Expand Down

0 comments on commit 70fb830

Please sign in to comment.