Pull request: 2799 trusted proxy

Merge in DNS/adguard-home from 2799-trusted-proxy to master Updates #2799. Squashed commit of the following: commit 708a06b30116126a575767ea70865a6de90de774 Author: Eugene Burkov <e.burkov@adguard.com> Date: Fri Jul 23 18:56:16 2021 +0300 all: add trusted proxy mechanism
2021-07-26 19:30:35 +03:00
parent 8e8f14aefb
commit 2f661df88c
6 changed files with 17 additions and 1 deletions
--- a/internal/dnsforward/config.go
+++ b/internal/dnsforward/config.go
@@ -94,6 +94,11 @@ type FilteringConfig struct {
 	AllowedClients    []string `yaml:"allowed_clients"`    // IP addresses of whitelist clients
 	DisallowedClients []string `yaml:"disallowed_clients"` // IP addresses of clients that should be blocked
 	BlockedHosts      []string `yaml:"blocked_hosts"`      // hosts that should be blocked
+	// TrustedProxies is the list of IP addresses and CIDR networks to
+	// detect proxy servers addresses the DoH requests from which should be
+	// handled.  The value of nil or an empty slice for this field makes
+	// Proxy not trust any address.
+	TrustedProxies []string `yaml:"trusted_proxies"`

 	// DNS cache settings
 	// --
@@ -210,6 +215,7 @@ func (s *Server) createProxyConfig() (proxy.Config, error) {
 		Ratelimit:              int(s.conf.Ratelimit),
 		RatelimitWhitelist:     s.conf.RatelimitWhitelist,
 		RefuseAny:              s.conf.RefuseAny,
+		TrustedProxies:         s.conf.TrustedProxies,
 		CacheMinTTL:            s.conf.CacheMinTTL,
 		CacheMaxTTL:            s.conf.CacheMaxTTL,
 		CacheOptimistic:        s.conf.CacheOptimistic,
--- a/internal/dnsforward/dnsforward.go
+++ b/internal/dnsforward/dnsforward.go
@@ -227,6 +227,7 @@ func (s *Server) WriteDiskConfig(c *FilteringConfig) {
 	c.AllowedClients = aghstrings.CloneSlice(sc.AllowedClients)
 	c.DisallowedClients = aghstrings.CloneSlice(sc.DisallowedClients)
 	c.BlockedHosts = aghstrings.CloneSlice(sc.BlockedHosts)
+	c.TrustedProxies = aghstrings.CloneSlice(sc.TrustedProxies)
 	c.UpstreamDNS = aghstrings.CloneSlice(sc.UpstreamDNS)
 }

--- a/internal/home/config.go
+++ b/internal/home/config.go
@@ -179,6 +179,8 @@ var config = configuration{
 			RefuseAny:          true,
 			AllServers:         false,

+			TrustedProxies: []string{"127.0.0.0/8", "::1/128"},
+
 			// set default maximum concurrent queries to 300
 			// we introduced a default limit due to this:
 			// https://github.com/AdguardTeam/AdGuardHome/issues/2015#issuecomment-674041912