sendnrw/rdpgw
2
0
Fork 0
mirror of https://github.com/bolkedebruin/rdpgw.git synced 2026-05-17 05:40:18 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
13323f56cbc3879fe70cc9678efecf8411e9e719
rdpgw/CHANGELOG.md
bolkedebruin 13323f56cb Honor X-Forwarded-For only from a trusted-proxy CIDR (#189) 
EnrichContext used to copy the first X-Forwarded-For entry into the
request identity unconditionally. The resulting AttrClientIp drives
client-IP comparisons later in the gateway-access flow, and a direct
caller could set XFF to anything they liked.

Add a small package-level allow-list:

* InitTrustedProxies(cidrs) parses operator-supplied CIDRs once at
  startup. A bad CIDR is fatal, an empty list disables XFF entirely.
* EnrichContext takes the client IP from r.RemoteAddr (host portion)
  and only swaps in the first X-Forwarded-For entry when r.RemoteAddr
  itself sits in a trusted-proxy CIDR. AttrProxies is set from the
  remaining XFF entries on the same condition.

Wire Server.TrustedProxies through configuration.go to web.
2026-04-30 18:47:46 +02:00

31 lines
1.4 KiB
Markdown
Raw Blame History

# Changelog
All user-visible changes to rdpgw will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
and the project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [Unreleased]
### Changed
- `X-Forwarded-For` is now honored only when the request arrives from
a `Server.TrustedProxies` CIDR. The default `Server.TrustedProxies`
is empty, so by default the request's `RemoteAddr` (host portion) is
the source of `AttrClientIp`. See [UPGRADING.md](UPGRADING.md) if
your deployment relies on a fronting proxy stamping XFF.
- `server.hostselection: any` now refuses destinations that resolve to
loopback, RFC1918, link-local, IPv6 ULA, unspecified, or multicast
addresses, and only forwards to ports in `Server.AllowedDestinationPorts`
(default `[3389]`). Operators that need the old behavior can opt back in
with `Server.AllowPrivateDestinations: true` and an extended port list.
See [UPGRADING.md](UPGRADING.md) for migration notes. The other
host-selection modes (`roundrobin`, `signed`, `unsigned`) already used
the operator-curated `Server.Hosts` list and are unaffected.
### Added
- `Server.TrustedProxies` (`[]string`, CIDR, default empty).
- `Server.AllowedDestinationPorts` (`[]int`, default `[3389]`).
- `Server.AllowPrivateDestinations` (`bool`, default `false`).
Reference in New Issue View Git Blame Copy Permalink