Added CloudFlare auto-loading of trusted proxy IP addresses.

2024-08-15 19:50:44 +03:00 · 2020-12-10 13:56:15 -08:00 · 2020-12-10 13:56:15 -08:00 · 370d890b86
commit 370d890b86
parent 182d5fb295
3 changed files with 59 additions and 4 deletions
--- a/certoperations.js
+++ b/certoperations.js
@ -284,6 +284,26 @@ module.exports.CertificateOperations = function (parent) {
        return r;
    }

+    // Return a text file from a remote HTTPS server
+    obj.loadTextFile = function (url, tag, func) {
+        const u = require('url').parse(url);
+        if (u.protocol == 'https:') {
+            // Read from HTTPS
+            const https = require('https');
+            https.get(url, function(resp) {
+                var data = '';
+                resp.on('data', function(chunk) { data += chunk; });
+                resp.on('end', function () { func(url, data, tag); });
+                resp.on('error', function (chunk) { func(url, null, tag); });
+            }).on('error', function (err) { func(url, null, tag); });
+        } else if (u.protocol == 'file:') {
+            // Read a file
+            obj.fs.readFile(url.substring(7), 'utf8', function (err, data) {
+                func(url, err ? null : data, tag);
+            });
+        } else { func(url, null, tag); }
+    };
+
    // Return the certificate of the remote HTTPS server
    obj.loadCertificate = function (url, hostname, tag, func) {
        const u = require('url').parse(url);
@ -304,7 +324,7 @@ module.exports.CertificateOperations = function (parent) {
        } else if (u.protocol == 'file:') {
            // Read the certificate from a file
            obj.fs.readFile(url.substring(7), 'utf8', function (err, data) {
-                if (err) { func(url, null, tag); return; }
+                if (err) { func(url, null, hostname, tag); return; }
                var x1 = data.indexOf('-----BEGIN CERTIFICATE-----'), x2 = data.indexOf('-----END CERTIFICATE-----');
                if ((x1 >= 0) && (x2 > x1)) {
                    func(url, Buffer.from(data.substring(x1 + 27, x2), 'base64').toString('binary'), hostname, tag);
--- a/meshcentral.js
+++ b/meshcentral.js
@ -1325,8 +1325,36 @@ function CreateMeshCentralServer(config, args) {
            }
        }

+        // Update proxy certificates
        if (obj.supportsProxyCertificatesRequest == true) { obj.updateProxyCertificates(true); }
-        obj.StartEx4(); // Keep going
+
+        // Load CloudFlare trusted proxies list if needed
+        if ((obj.config.settings.trustedproxy != null) && (obj.config.settings.trustedproxy.toLowerCase() == 'cloudflare')) {
+            delete obj.args.trustedproxy;
+            delete obj.config.settings.trustedproxy;
+            obj.certificateOperations.loadTextFile('https://www.cloudflare.com/ips-v4', null, function (url, data, tag) {
+                if (data != null) {
+                    if (Array.isArray(obj.args.trustedproxy) == false) { obj.args.trustedproxy = []; }
+                    var ipranges = data.split('\n');
+                    for (var i in ipranges) { if (ipranges[i] != '') { obj.args.trustedproxy.push(ipranges[i]); } }
+                    obj.certificateOperations.loadTextFile('https://www.cloudflare.com/ips-v6', null, function (url, data, tag) {
+                        if (data != null) {
+                            var ipranges = data.split('\n');
+                            for (var i in ipranges) { if (ipranges[i] != '') { obj.args.trustedproxy.push(ipranges[i]); } }
+                            obj.config.settings.trustedproxy = obj.args.trustedproxy;
+                        } else {
+                            addServerWarning("Unable to load CloudFlare trusted proxy IPv6 address list.");
+                        }
+                        obj.StartEx4(); // Keep going
+                    });
+                } else {
+                    addServerWarning("Unable to load CloudFlare trusted proxy IPv4 address list.");
+                    obj.StartEx4(); // Keep going
+                }
+            });
+        } else {
+            obj.StartEx4(); // Keep going
+        }
    }

    // Start the server with the given certificates
--- a/webserver.js
+++ b/webserver.js
@ -4885,8 +4885,8 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
            if (typeof req.connection.remoteAddress == 'string') { ipex = (req.connection.remoteAddress.startsWith('::ffff:')) ? req.connection.remoteAddress.substring(7) : req.connection.remoteAddress; }
            if (
                (obj.args.trustedproxy === true) ||
-                ((typeof obj.args.trustedproxy == 'object') && (obj.args.trustedproxy.indexOf(ipex) >= 0)) ||
-                ((typeof obj.args.tlsoffload == 'object') && (obj.args.tlsoffload.indexOf(ipex) >= 0))
+                ((typeof obj.args.trustedproxy == 'object') && (isIPMatch(ipex, obj.args.trustedproxy))) ||
+                ((typeof obj.args.tlsoffload == 'object') && (isIPMatch(ipex, obj.args.tlsoffload)))
            ) {
                // Get client IP
                if (req.headers['cf-connecting-ip']) { // Use CloudFlare IP address if present
@ -6606,6 +6606,13 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
        } catch (ex) { console.log(ex); func(fd, tag); }
    }

+    // Perform a IP match against a list
+    function isIPMatch(ip, matchList) {
+        const ipcheck = require('ipcheck');
+        for (var i in matchList) { if (ipcheck.match(ip, matchList[i]) == true) return true; }
+        return false;
+    }
+
    // This is the invalid login throttling code
    obj.badLoginTable = {};
    obj.badLoginTableLastClean = 0;