Mirrors/Radarr
1
0
Fork 0
mirror of https://github.com/Radarr/Radarr.git synced 2024-08-18 16:29:41 +02:00
Code Issues Releases Wiki Activity

Log Real IP on Authentication failure in case of a reverse proxy

Browse Source 
closes #3711
This commit is contained in:
Taloth Saldono 2020-04-27 23:58:35 +02:00 committed by Qstick
parent e8018b7959
commit 7afea3df90
3 changed files with 76 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
src/NzbDrone.Common/Extensions/IpAddressExtensions.cs
View File

@ -1,29 +1,40 @@
using System.Net; using System.Net;
using System.Net.Sockets;
namespace NzbDrone.Common.Extensions namespace NzbDrone.Common.Extensions
{ {
public static class IPAddressExtensions public static class IPAddressExtensions
{ {
public static bool IsLocalAddress(this IPAddress ipAddress) public static bool IsLocalAddress(this IPAddress ipAddress)
{ {
if (ipAddress.ToString() == "::1") if (ipAddress.IsIPv6LinkLocal)
{ {
return true; return true;
} }
byte[] bytes = ipAddress.GetAddressBytes(); if (IPAddress.IsLoopback(ipAddress))
switch (bytes[0])
{ {
case 10: return true;
case 127:
return true;
case 172:
return bytes[1] < 32 && bytes[1] >= 16;
case 192:
return bytes[1] == 168;
default:
return false;
} }
if (ipAddress.AddressFamily == AddressFamily.InterNetwork)
{
byte[] bytes = ipAddress.GetAddressBytes();
switch (bytes[0])
{
case 10:
case 127:
return true;
case 172:
return bytes[1] < 32 && bytes[1] >= 16;
case 192:
return bytes[1] == 168;
default:
return false;
}
}
return false;
} }
} }
} }

2
src/NzbDrone.Core/Security/X509CertificateValidationService.cs
View File

@ -50,7 +50,7 @@ private bool ShouldByPassValidationError(object sender, X509Certificate certific
} }
if (certificateValidation == CertificateValidationType.DisabledForLocalAddresses && if (certificateValidation == CertificateValidationType.DisabledForLocalAddresses &&
ipAddresses.All(i => i.IsIPv6LinkLocal || i.IsLocalAddress())) ipAddresses.All(i => i.IsLocalAddress()))
{ {
return true; return true;
} }

56
src/Radarr.Http/Authentication/AuthenticationService.cs
View File

@ -1,5 +1,6 @@
using System; using System;
using System.Linq; using System.Linq;
using System.Net;
using System.Security.Claims; using System.Security.Claims;
using System.Security.Principal; using System.Security.Principal;
using Nancy; using Nancy;
@ -208,27 +209,70 @@ private string GetApiKey(NancyContext context)
public void LogUnauthorized(NancyContext context) public void LogUnauthorized(NancyContext context)
{ {
_authLogger.Info("Auth-Unauthorized ip {0} url '{1}'", context.Request.UserHostAddress, context.Request.Url.ToString()); _authLogger.Info("Auth-Unauthorized ip {0} url '{1}'", GetRemoteIP(context), context.Request.Url.ToString());
} }
private void LogInvalidated(NancyContext context) private void LogInvalidated(NancyContext context)
{ {
_authLogger.Info("Auth-Invalidated ip {0}", context.Request.UserHostAddress); _authLogger.Info("Auth-Invalidated ip {0}", GetRemoteIP(context));
} }
private void LogFailure(NancyContext context, string username) private void LogFailure(NancyContext context, string username)
{ {
_authLogger.Warn("Auth-Failure ip {0} username '{1}'", context.Request.UserHostAddress, username); _authLogger.Warn("Auth-Failure ip {0} username '{1}'", GetRemoteIP(context), username);
} }
private void LogSuccess(NancyContext context, string username) private void LogSuccess(NancyContext context, string username)
{ {
_authLogger.Info("Auth-Success ip {0} username '{1}'", context.Request.UserHostAddress, username); _authLogger.Info("Auth-Success ip {0} username '{1}'", GetRemoteIP(context), username);
} }
private void LogLogout(NancyContext context, string username) private void LogLogout(NancyContext context, string username)
{ {
_authLogger.Info("Auth-Logout ip {0} username '{1}'", context.Request.UserHostAddress, username); _authLogger.Info("Auth-Logout ip {0} username '{1}'", GetRemoteIP(context), username);
}
private string GetRemoteIP(NancyContext context)
{
if (context == null || context.Request == null)
{
return "Unknown";
}
var remoteAddress = context.Request.UserHostAddress;
IPAddress remoteIP;
// Only check if forwarded by a local network reverse proxy
if (IPAddress.TryParse(remoteAddress, out remoteIP) && remoteIP.IsLocalAddress())
{
var realIPHeader = context.Request.Headers["X-Real-IP"];
if (realIPHeader.Any())
{
return realIPHeader.First().ToString();
}
var forwardedForHeader = context.Request.Headers["X-Forwarded-For"];
if (forwardedForHeader.Any())
{
// Get the first address that was forwarded by a local IP to prevent remote clients faking another proxy
foreach (var forwardedForAddress in forwardedForHeader.SelectMany(v => v.Split(',')).Select(v => v.Trim()).Reverse())
{
if (!IPAddress.TryParse(forwardedForAddress, out remoteIP))
{
return remoteAddress;
}
if (!remoteIP.IsLocalAddress())
{
return forwardedForAddress;
}
remoteAddress = forwardedForAddress;
}
}
}
return remoteAddress;
} }
} }
} }