a4d89036ec
* fix: handle Unix socket RemoteAddr in IP resolution When oauth2-proxy listens on a Unix socket, Go sets RemoteAddr to "@" instead of the usual "host:port" format. This caused net.SplitHostPort to fail on every request, flooding logs with errors: Error obtaining real IP for trusted IP list: unable to get ip and port from http.RemoteAddr (@) Fix by handling the "@" RemoteAddr at the source in getRemoteIP, returning nil without error since Unix sockets have no meaningful client IP. Also simplify the isTrustedIP guard and add a nil check in GetClientString to prevent calling String() on nil net.IP. Fixes #3373 Signed-off-by: h1net <ben@freshdevs.com> * docs: add changelog entry and Unix socket trusted IPs documentation Add changelog entry for #3374. Document that trusted IPs cannot match against RemoteAddr for Unix socket listeners since Go sets it to "@", and that IP-based trust still works via X-Forwarded-For with reverse-proxy. Signed-off-by: Ben Newbery <ben.newbery@gmail.com> Signed-off-by: h1net <ben@freshdevs.com> * doc: fix changelog entry for #3374 Signed-off-by: Jan Larwig <jan@larwig.com> * doc: add trusted ip a section to versioned docs as well Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: h1net <ben@freshdevs.com> Signed-off-by: Ben Newbery <ben.newbery@gmail.com> Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com> |
||
|---|---|---|
| .. | ||
| net_set.go | ||
| net_set_test.go | ||
| parse_ip_net.go | ||
| realclientip.go | ||
| realclientip_test.go | ||