diff options
Diffstat (limited to 'internal/sshd/sshd.go')
-rw-r--r-- | internal/sshd/sshd.go | 29 |
1 files changed, 22 insertions, 7 deletions
diff --git a/internal/sshd/sshd.go b/internal/sshd/sshd.go index b08b386..d20286a 100644 --- a/internal/sshd/sshd.go +++ b/internal/sshd/sshd.go @@ -9,7 +9,7 @@ import ( "sync" "time" - "github.com/pires/go-proxyproto" + proxyproto "github.com/pires/go-proxyproto" "golang.org/x/crypto/ssh" "gitlab.com/gitlab-org/gitlab-shell/v14/client" @@ -95,9 +95,14 @@ func (s *Server) listen(ctx context.Context) error { } if s.Config.Server.ProxyProtocol { + policy, err := s.proxyPolicy() + if err != nil { + return fmt.Errorf("invalid policy configuration: %w", err) + } + sshListener = &proxyproto.Listener{ Listener: sshListener, - Policy: s.requirePolicy, + Policy: policy, ReadHeaderTimeout: time.Duration(s.Config.Server.ProxyHeaderTimeout), } @@ -200,17 +205,27 @@ func (s *Server) handleConn(ctx context.Context, nconn net.Conn) { }) } -func (s *Server) requirePolicy(_ net.Addr) (proxyproto.Policy, error) { +func (s *Server) proxyPolicy() (proxyproto.PolicyFunc, error) { + if len(s.Config.Server.ProxyAllowed) > 0 { + return proxyproto.StrictWhiteListPolicy(s.Config.Server.ProxyAllowed) + } + // Set the Policy value based on config // Values are taken from https://github.com/pires/go-proxyproto/blob/195fedcfbfc1be163f3a0d507fac1709e9d81fed/policy.go#L20 switch strings.ToLower(s.Config.Server.ProxyPolicy) { case "require": - return proxyproto.REQUIRE, nil + return staticProxyPolicy(proxyproto.REQUIRE), nil case "ignore": - return proxyproto.IGNORE, nil + return staticProxyPolicy(proxyproto.IGNORE), nil case "reject": - return proxyproto.REJECT, nil + return staticProxyPolicy(proxyproto.REJECT), nil default: - return proxyproto.USE, nil + return staticProxyPolicy(proxyproto.USE), nil + } +} + +func staticProxyPolicy(policy proxyproto.Policy) proxyproto.PolicyFunc { + return func(_ net.Addr) (proxyproto.Policy, error) { + return policy, nil } } |