mirror of
https://github.com/bolkedebruin/rdpgw.git
synced 2026-05-12 19:30:04 +00:00
449cd1e2fe
The `roundrobin`, `signed`, and `unsigned` host-selection modes route
requests against an operator-curated `Server.Hosts` list. The `any`
mode does not -- it forwards to whatever `?host=` value the request
carries, which makes the gateway usable as a generic TCP relay
against whatever the gateway can reach (loopback, RFC1918, link-local,
the cloud metadata service, arbitrary high-numbered ports on public
hosts).
Add a small destination policy applied only in `any` mode:
* Reject hosts that resolve to loopback, RFC1918, IPv6 ULA,
link-local, unspecified, or multicast addresses. Operators can opt
back in with `Server.AllowPrivateDestinations: true`.
* Restrict the destination port to `Server.AllowedDestinationPorts`
(default {3389}).
The other host-selection modes are unaffected -- the operator already
curates their hosts list.
The DestinationPolicy zero value is the secure default, so direct
&Handler{} constructions in tests still get the expected behavior.
DNS names are resolved at validation time and every returned address
is checked.
986 B
986 B
Changelog
All user-visible changes to rdpgw will be documented in this file.
The format is based on Keep a Changelog, and the project adheres to Semantic Versioning.
[Unreleased]
Changed
server.hostselection: anynow refuses destinations that resolve to loopback, RFC1918, link-local, IPv6 ULA, unspecified, or multicast addresses, and only forwards to ports inServer.AllowedDestinationPorts(default[3389]). Operators that need the old behavior can opt back in withServer.AllowPrivateDestinations: trueand an extended port list. See UPGRADING.md for migration notes. The other host-selection modes (roundrobin,signed,unsigned) already used the operator-curatedServer.Hostslist and are unaffected.
Added
Server.AllowedDestinationPorts([]int, default[3389]).Server.AllowPrivateDestinations(bool, defaultfalse).