From 4b60587e758ebc7f76137ec34139737ff3564902 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Sat, 27 Feb 2021 21:37:56 +0100
Subject: mod_http: Consolidate handling of proxied connection details

Trying to move everything relating to proxies and X-Forwarded-Foo into a
single place.
---
 plugins/mod_http.lua | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

(limited to 'plugins')

diff --git a/plugins/mod_http.lua b/plugins/mod_http.lua
index d81f4ab7..682d5ae3 100644
--- a/plugins/mod_http.lua
+++ b/plugins/mod_http.lua
@@ -259,10 +259,11 @@ local function is_trusted_proxy(ip)
 	return false
 end
 
-local function get_ip_from_request(request)
+local function get_forwarded_connection_info(request) --> ip:string, secure:boolean
 	local ip = request.ip;
+	local secure = request.secure; -- set by net.http.server
 	local forwarded_for = request.headers.x_forwarded_for;
-	if forwarded_for and is_trusted_proxy(ip) then
+	if forwarded_for then
 		-- luacheck: ignore 631
 		-- This logic looks weird at first, but it makes sense.
 		-- The for loop will take the last non-trusted-proxy IP from `forwarded_for`.
@@ -278,18 +279,17 @@ local function get_ip_from_request(request)
 			end
 		end
 	end
-	return ip;
+
+	secure = secure or request.headers.x_forwarded_proto == "https";
+
+	return ip, secure;
 end
 
 module:wrap_object_event(server._events, false, function (handlers, event_name, event_data)
 	local request = event_data.request;
-	if request then
+	if request and is_trusted_proxy(request.ip) then
 		-- Not included in eg http-error events
-		request.ip = get_ip_from_request(request);
-
-		if not request.secure and request.headers.x_forwarded_proto == "https" and is_trusted_proxy(request.conn:ip()) then
-			request.secure = true;
-		end
+		request.ip, request.secure = get_forwarded_connection_info(request);
 	end
 	return handlers(event_name, event_data);
 end);
-- 
cgit v1.2.3