aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--CHANGES1
-rw-r--r--plugins/mod_http.lua21
2 files changed, 21 insertions, 1 deletions
diff --git a/CHANGES b/CHANGES
index 4233488a..b91aced8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -42,6 +42,7 @@ TRUNK
- mod_blocklist: New option 'migrate_legacy_blocking' to disable migration from mod_privacy
- Ability to use SQLite3 storage using LuaSQLite3 instead of LuaDBI
- Moved all modules into the Lua namespace `prosody.`
+- Forwarded header from RFC 7239 supported
## Removed
diff --git a/plugins/mod_http.lua b/plugins/mod_http.lua
index b7912019..edf220a8 100644
--- a/plugins/mod_http.lua
+++ b/plugins/mod_http.lua
@@ -15,7 +15,8 @@ local portmanager = require "prosody.core.portmanager";
local moduleapi = require "prosody.core.moduleapi";
local url_parse = require "socket.url".parse;
local url_build = require "socket.url".build;
-local normalize_path = require "prosody.util.http".normalize_path;
+local http_util = require "prosody.util.http";
+local normalize_path = http_util.normalize_path;
local set = require "prosody.util.set";
local array = require "util.array";
@@ -319,6 +320,24 @@ end
local function get_forwarded_connection_info(request) --> ip:string, secure:boolean
local ip = request.ip;
local secure = request.secure; -- set by net.http.server
+
+ local forwarded = http_util.parse_forwarded(request.headers.forwarded);
+ if forwarded then
+ request.forwarded = forwarded;
+ for i = #forwarded, 1, -1 do
+ local proxy = forwarded[i]
+ if is_trusted_proxy(ip) then
+ ip = normal_ip(proxy["for"]);
+ secure = secure and proxy.proto == "https";
+ else
+ break
+ end
+ end
+
+ -- Ignore legacy X-Forwarded-For and X-Forwarded-Proto, handling both seems unfeasible.
+ return ip, secure;
+ end
+
local forwarded_for = request.headers.x_forwarded_for;
if forwarded_for then
-- luacheck: ignore 631