a4d89036ec
* fix: handle Unix socket RemoteAddr in IP resolution When oauth2-proxy listens on a Unix socket, Go sets RemoteAddr to "@" instead of the usual "host:port" format. This caused net.SplitHostPort to fail on every request, flooding logs with errors: Error obtaining real IP for trusted IP list: unable to get ip and port from http.RemoteAddr (@) Fix by handling the "@" RemoteAddr at the source in getRemoteIP, returning nil without error since Unix sockets have no meaningful client IP. Also simplify the isTrustedIP guard and add a nil check in GetClientString to prevent calling String() on nil net.IP. Fixes #3373 Signed-off-by: h1net <ben@freshdevs.com> * docs: add changelog entry and Unix socket trusted IPs documentation Add changelog entry for #3374. Document that trusted IPs cannot match against RemoteAddr for Unix socket listeners since Go sets it to "@", and that IP-based trust still works via X-Forwarded-For with reverse-proxy. Signed-off-by: Ben Newbery <ben.newbery@gmail.com> Signed-off-by: h1net <ben@freshdevs.com> * doc: fix changelog entry for #3374 Signed-off-by: Jan Larwig <jan@larwig.com> * doc: add trusted ip a section to versioned docs as well Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: h1net <ben@freshdevs.com> Signed-off-by: Ben Newbery <ben.newbery@gmail.com> Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com> |
||
|---|---|---|
| .. | ||
| apis | ||
| app | ||
| authentication | ||
| cookies | ||
| encryption | ||
| header | ||
| ip | ||
| logger | ||
| middleware | ||
| providers | ||
| proxyhttp | ||
| requests | ||
| sessions | ||
| upstream | ||
| util | ||
| validation | ||
| version | ||
| watcher | ||