coder · kylecarbs · Oct 23, 2022 · Oct 21, 2022 · Oct 23, 2022 · Oct 23, 2022
diff --git a/cli/deployment/config.go b/cli/deployment/config.go
@@ -113,6 +113,16 @@ func newConfig() codersdk.DeploymentConfig {
 			Flag:  "pprof-address",
 			Value: "127.0.0.1:6060",
 		},
+		ProxyTrustedHeaders: codersdk.DeploymentConfigField[[]string]{
+			Key:   "proxy.trusted_headers",
+			Flag:  "proxy-trusted-headers",
+			Usage: "Headers to trust for forwarding IP addresses. e.g. Cf-Connecting-IP True-Client-Ip, X-Forwarded-for",
+		},
+		ProxyTrustedOrigins: codersdk.DeploymentConfigField[[]string]{
+			Key:   "proxy.trusted_origins",
+			Flag:  "proxy-trusted-origins",
+			Usage: "Origin addresses to respect \"proxy-trusted-headers\". e.g. example.com",
+		},
 		CacheDirectory: codersdk.DeploymentConfigField[string]{
 			Key:   "cache_directory",
 			Usage: "The directory to cache temporary files. If unspecified and $CACHE_DIRECTORY is set, it will be used for compatibility with systemd.",

diff --git a/cli/server.go b/cli/server.go
@@ -57,6 +57,7 @@ import (
 	"github.com/coder/coder/coderd/devtunnel"
 	"github.com/coder/coder/coderd/gitsshkey"
 	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/coderd/httpmw"
 	"github.com/coder/coder/coderd/prometheusmetrics"
 	"github.com/coder/coder/coderd/telemetry"
 	"github.com/coder/coder/coderd/tracing"
@@ -325,6 +326,11 @@ func Server(vip *viper.Viper, newAPI func(context.Context, *coderd.Options) (*co
 				}
 			}
 
+			realIPConfig, err := httpmw.ParseRealIPConfig(cfg.ProxyTrustedHeaders.Value, cfg.ProxyTrustedOrigins.Value)
+			if err != nil {
+				return xerrors.Errorf("parse real ip config: %w", err)
+			}
+
 			options := &coderd.Options{
 				AccessURL:                   accessURLParsed,
 				AppHostname:                 appHostname,
@@ -335,6 +341,7 @@ func Server(vip *viper.Viper, newAPI func(context.Context, *coderd.Options) (*co
 				Pubsub:                      database.NewPubsubInMemory(),
 				CacheDir:                    cfg.CacheDirectory.Value,
 				GoogleTokenValidator:        googleTokenValidator,
+				RealIPConfig:                realIPConfig,
 				SecureAuthCookie:            cfg.SecureAuthCookie.Value,
 				SSHKeygenAlgorithm:          sshKeygenAlgorithm,
 				TracerProvider:              tracerProvider,

diff --git a/coderd/apikey.go b/coderd/apikey.go
@@ -230,8 +230,7 @@ func (api *API) createAPIKey(ctx context.Context, params createAPIKeyParams) (*h
 		}
 	}
 
-	host, _, _ := net.SplitHostPort(params.RemoteAddr)
-	ip := net.ParseIP(host)
+	ip := net.ParseIP(params.RemoteAddr)
 	if ip == nil {
 		ip = net.IPv4(0, 0, 0, 0)
 	}

diff --git a/coderd/audit.go b/coderd/audit.go
@@ -117,8 +117,7 @@ func (api *API) generateFakeAuditLog(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	ipRaw, _, _ := net.SplitHostPort(r.RemoteAddr)
-	ip := net.ParseIP(ipRaw)
+	ip := net.ParseIP(r.RemoteAddr)
 	ipNet := pqtype.Inet{}
 	if ip != nil {
 		ipNet = pqtype.Inet{

diff --git a/coderd/audit/request.go b/coderd/audit/request.go
@@ -129,12 +129,8 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
 			}
 		}
 
-		ip, err := parseIP(p.Request.RemoteAddr)
-		if err != nil {
-			p.Log.Warn(logCtx, "parse ip", slog.Error(err))
-		}
-
-		err = p.Audit.Export(ctx, database.AuditLog{
+		ip := parseIP(p.Request.RemoteAddr)
+		err := p.Audit.Export(ctx, database.AuditLog{
 			ID:               uuid.New(),
 			Time:             database.Now(),
 			UserID:           httpmw.APIKey(p.Request).UserID,
@@ -166,16 +162,8 @@ func either[T Auditable, R any](old, new T, fn func(T) R) R {
 	}
 }
 
-func parseIP(ipStr string) (pqtype.Inet, error) {
-	var err error
-
-	ipStr, _, err = net.SplitHostPort(ipStr)
-	if err != nil {
-		return pqtype.Inet{}, err
-	}
-
+func parseIP(ipStr string) pqtype.Inet {
 	ip := net.ParseIP(ipStr)
-
 	ipNet := net.IPNet{}
 	if ip != nil {
 		ipNet = net.IPNet{
@@ -187,5 +175,5 @@ func parseIP(ipStr string) (pqtype.Inet, error) {
 	return pqtype.Inet{
 		IPNet: ipNet,
 		Valid: ip != nil,
-	}, nil
+	}
 }
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -82,6 +82,7 @@ type Options struct {
 	Telemetry            telemetry.Reporter
 	TracerProvider       trace.TracerProvider
 	AutoImportTemplates  []AutoImportTemplate
+	RealIPConfig         *httpmw.RealIPConfig
 
 	// TLSCertificates is used to mesh DERP servers securely.
 	TLSCertificates    []tls.Certificate
@@ -198,6 +199,7 @@ func New(options *Options) *API {
 	r.Use(
 		httpmw.AttachRequestID,
 		httpmw.Recover(api.Logger),
+		httpmw.ExtractRealIP(api.RealIPConfig),
 		httpmw.Logger(api.Logger),
 		httpmw.Prometheus(options.PrometheusRegistry),
 		// handleSubdomainApplications checks if the first subdomain is a valid

diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -57,6 +57,7 @@ import (
 	"github.com/coder/coder/coderd/database/dbtestutil"
 	"github.com/coder/coder/coderd/gitsshkey"
 	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/coderd/httpmw"
 	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/coderd/telemetry"
 	"github.com/coder/coder/coderd/util/ptr"
@@ -77,6 +78,7 @@ type Options struct {
 	Experimental         bool
 	AzureCertificates    x509.VerifyOptions
 	GithubOAuth2Config   *coderd.GithubOAuth2Config
+	RealIPConfig         *httpmw.RealIPConfig
 	OIDCConfig           *coderd.OIDCConfig
 	GoogleTokenValidator *idtoken.Validator
 	SSHKeygenAlgorithm   gitsshkey.Algorithm
@@ -238,6 +240,7 @@ func NewOptions(t *testing.T, options *Options) (func(http.Handler), context.Can
 			AWSCertificates:      options.AWSCertificates,
 			AzureCertificates:    options.AzureCertificates,
 			GithubOAuth2Config:   options.GithubOAuth2Config,
+			RealIPConfig:         options.RealIPConfig,
 			OIDCConfig:           options.OIDCConfig,
 			GoogleTokenValidator: options.GoogleTokenValidator,
 			SSHKeygenAlgorithm:   options.SSHKeygenAlgorithm,

diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go
@@ -250,8 +250,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 			// Only update LastUsed once an hour to prevent database spam.
 			if now.Sub(key.LastUsed) > time.Hour {
 				key.LastUsed = now
-				host, _, _ := net.SplitHostPort(r.RemoteAddr)
-				remoteIP := net.ParseIP(host)
+				remoteIP := net.ParseIP(r.RemoteAddr)
 				if remoteIP == nil {
 					remoteIP = net.IPv4(0, 0, 0, 0)
 				}

diff --git a/coderd/httpmw/apikey_test.go b/coderd/httpmw/apikey_test.go
@@ -512,7 +512,7 @@ func TestAPIKey(t *testing.T) {
 			rw         = httptest.NewRecorder()
 			user       = createUser(r.Context(), t, db)
 		)
-		r.RemoteAddr = "1.1.1.1:3555"
+		r.RemoteAddr = "1.1.1.1"
 		r.Header.Set(codersdk.SessionCustomHeader, fmt.Sprintf("%s-%s", id, secret))
 
 		_, err := db.InsertAPIKey(r.Context(), database.InsertAPIKeyParams{

diff --git a/coderd/httpmw/realip.go b/coderd/httpmw/realip.go
@@ -0,0 +1,225 @@
+package httpmw
+
+import (
+	"context"
+	"net"
+	"net/http"
+	"strings"
+
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/coderd/httpapi"
+)
+
+const (
+	headerXForwardedFor   string = "X-Forwarded-For"
+	headerXForwardedProto string = "X-Forwarded-Proto"
+)
+
+// RealIPConfig configures the search order for the function, which controls
+// which headers to consider trusted.
+type RealIPConfig struct {
+	// TrustedOrigins is a list of networks that will be trusted. If
+	// any non-trusted address supplies these headers, they will be
+	// ignored.
+	TrustedOrigins []*net.IPNet
+
+	// TrustedHeaders lists headers that are trusted for forwarding
+	// IP addresses. e.g. "CF-Connecting-IP", "True-Client-IP", etc.
+	TrustedHeaders []string
+}
+
+// ExtractRealIP is a middleware that uses headers from reverse proxies to
+// propagate origin IP address information, when configured to do so.
+func ExtractRealIP(config *RealIPConfig) func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			// Preserve the original TLS connection state and RemoteAddr
+			req = req.WithContext(context.WithValue(req.Context(), ctxKey{}, &RealIPState{
+				Config:             config,
+				OriginalRemoteAddr: req.RemoteAddr,
+			}))
+
+			info, err := ExtractRealIPAddress(config, req)
+			if err != nil {
+				httpapi.InternalServerError(w, err)
+				return
+			}
+			req.RemoteAddr = info.String()
+
+			next.ServeHTTP(w, req)
+		})
+	}
+}
+
+// ExtractRealIPAddress returns the original client address according to the
+// configuration and headers. It does not mutate the original request.
+func ExtractRealIPAddress(config *RealIPConfig, req *http.Request) (net.IP, error) {
+	if config == nil {
+		config = &RealIPConfig{}
+	}
+
+	cf := isContainedIn(config.TrustedOrigins, getRemoteAddress(req.RemoteAddr))
+	if !cf {
+		// Address is not valid or the origin is not trusted; use the
+		// original address
+		return getRemoteAddress(req.RemoteAddr), nil
+	}
+
+	for _, trustedHeader := range config.TrustedHeaders {
+		addr := getRemoteAddress(req.Header.Get(trustedHeader))
+		if addr != nil {
+			return addr, nil
+		}
+	}
+
+	return getRemoteAddress(req.RemoteAddr), nil
+}
+
+// FilterUntrustedOriginHeaders removes all known proxy headers from the
+// request for untrusted origins, and ensures that only one copy
+// of each proxy header is set.
+func FilterUntrustedOriginHeaders(config *RealIPConfig, req *http.Request) {
+	if config == nil {
+		config = &RealIPConfig{}
+	}
+
+	cf := isContainedIn(config.TrustedOrigins, getRemoteAddress(req.RemoteAddr))
+	if !cf {
+		// Address is not valid or the origin is not trusted; clear
+		// all known proxy headers and return
+		for _, header := range config.TrustedHeaders {
+			req.Header.Del(header)
+		}
+		return
+	}
+
+	for _, header := range config.TrustedHeaders {
+		req.Header.Set(header, req.Header.Get(header))
+	}
+}
+
+// EnsureXForwardedForHeader ensures that the request has an X-Forwarded-For
+// header. It uses the following logic:
+//
+//  1. If we have a direct connection (remoteAddr == proxyAddr), then
+//     set it to remoteAddr
+//  2. If we have a proxied connection (remoteAddr != proxyAddr) and
+//     X-Forwarded-For doesn't begin with remoteAddr, then overwrite
+//     it with remoteAddr,proxyAddr
+//  3. If we have a proxied connection (remoteAddr != proxyAddr) and
+//     X-Forwarded-For begins with remoteAddr, then append proxyAddr
+//     to the original X-Forwarded-For header
+//  4. If X-Forwarded-Proto is not set, then it will be set to "https"
+//     if req.TLS != nil, otherwise it will be set to "http"
+func EnsureXForwardedForHeader(req *http.Request) error {
+	state := RealIP(req.Context())
+	if state == nil {
+		return xerrors.New("request does not contain realip.State; was it processed by httpmw.ExtractRealIP?")
+	}
+
+	remoteAddr := getRemoteAddress(req.RemoteAddr)
+	if remoteAddr == nil {
+		return xerrors.Errorf("failed to parse remote address: %s", remoteAddr)
+	}
+
+	proxyAddr := getRemoteAddress(state.OriginalRemoteAddr)
+	if proxyAddr == nil {
+		return xerrors.Errorf("failed to parse original address: %s", proxyAddr)
+	}
+
+	if remoteAddr.Equal(proxyAddr) {
+		req.Header.Set(headerXForwardedFor, remoteAddr.String())
+	} else {
+		forwarded := req.Header.Get(headerXForwardedFor)
+		if forwarded == "" || !remoteAddr.Equal(getRemoteAddress(forwarded)) {
+			req.Header.Set(headerXForwardedFor, remoteAddr.String()+","+proxyAddr.String())
+		} else {
+			req.Header.Set(headerXForwardedFor, forwarded+","+proxyAddr.String())
+		}
+	}
+
+	if req.Header.Get(headerXForwardedProto) == "" {
+		if req.TLS != nil {
+			req.Header.Set(headerXForwardedProto, "https")
+		} else {
+			req.Header.Set(headerXForwardedProto, "http")
+		}
+	}
+
+	return nil
+}
+
+// getRemoteAddress extracts the IP address from the given string. If
+// the string contains commas, it assumes that the first part is the
+// original address.
+func getRemoteAddress(address string) net.IP {
+	// X-Forwarded-For may contain multiple addresses, in case the
+	// proxies are chained; the first value is the client address
+	i := strings.IndexByte(address, ',')
+	if i == -1 {
+		i = len(address)
+	}
+
+	// If the address contains a port, remove it
+	firstAddress := address[:i]
+	host, _, err := net.SplitHostPort(firstAddress)
+	if err != nil {
+		// This will error if there is no port, so try to parse the address
+		return net.ParseIP(firstAddress)
+	}
+	return net.ParseIP(host)
+}
+
+// isContainedIn checks that the given address is contained in the given
+// network.
+func isContainedIn(networks []*net.IPNet, address net.IP) bool {
+	for _, network := range networks {
+		if network.Contains(address) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// RealIPState is the original state prior to modification by this middleware,
+// useful for getting information about the connecting client if needed.
+type RealIPState struct {
+	// Config is the configuration applied in the middleware. Consider
+	// this read-only and do not modify.
+	Config *RealIPConfig
+
+	// OriginalRemoteAddr is the original RemoteAddr for the request.
+	OriginalRemoteAddr string
+}
+
+type ctxKey struct{}
+
+// FromContext retrieves the state from the given context.Context.
+func RealIP(ctx context.Context) *RealIPState {
+	state, ok := ctx.Value(ctxKey{}).(*RealIPState)
+	if !ok {
+		return nil
+	}
+	return state
+}
+
+// ParseRealIPConfig takes a raw string array of headers and origins
+// to produce a config.
+func ParseRealIPConfig(headers, origins []string) (*RealIPConfig, error) {
+	config := &RealIPConfig{}
+	for _, origin := range origins {
+		_, network, err := net.ParseCIDR(origin)
+		if err != nil {
+			return nil, xerrors.Errorf("parse proxy origin %q: %w", origin, err)
+		}
+		config.TrustedOrigins = append(config.TrustedOrigins, network)
+	}
+	for index, header := range headers {
+		headers[index] = http.CanonicalHeaderKey(header)
+	}
+	config.TrustedHeaders = headers
+
+	return config, nil
+}