(t *testing.T)
| 70 | } |
| 71 | |
| 72 | func TestProxy_trustedProxies(t *testing.T) { |
| 73 | var ( |
| 74 | clientAddr = netip.MustParseAddr("1.2.3.4") |
| 75 | proxyAddr = netip.MustParseAddr("127.0.0.1") |
| 76 | ) |
| 77 | |
| 78 | doRequest := func(t *testing.T, addr, expectedClientIP netip.Addr) { |
| 79 | var gotAddr netip.Addr |
| 80 | reqHandler := &TestHandler{ |
| 81 | OnHandle: func(ctx context.Context, p *Proxy, d *DNSContext) (err error) { |
| 82 | gotAddr = d.Addr.Addr() |
| 83 | |
| 84 | return p.Resolve(ctx, d) |
| 85 | }, |
| 86 | } |
| 87 | |
| 88 | // Prepare the proxy server. |
| 89 | tlsConf, caPem := newTLSConfig(t) |
| 90 | httpConf := &HTTPConfig{ |
| 91 | ListenAddresses: []netip.AddrPort{localhostAnyPort}, |
| 92 | } |
| 93 | dnsProxy := mustNew(t, &Config{ |
| 94 | Logger: testLogger, |
| 95 | UpstreamConfig: newTestUpstreamConfig(t, defaultTimeout, testDefaultUpstreamAddr), |
| 96 | TrustedProxies: defaultTrustedProxies, |
| 97 | RequestHandler: reqHandler, |
| 98 | TLSConfig: tlsConf, |
| 99 | TLSListenAddr: []*net.TCPAddr{net.TCPAddrFromAddrPort(localhostAnyPort)}, |
| 100 | QUICListenAddr: []*net.UDPAddr{net.UDPAddrFromAddrPort(localhostAnyPort)}, |
| 101 | HTTPConfig: httpConf, |
| 102 | }) |
| 103 | |
| 104 | client := createTestHTTPClient(dnsProxy, caPem, false) |
| 105 | |
| 106 | msg := newTestMessage() |
| 107 | |
| 108 | dnsProxy.TrustedProxies = netip.PrefixFrom(addr, addr.BitLen()) |
| 109 | |
| 110 | servicetest.RequireRun(t, dnsProxy, testTimeout) |
| 111 | |
| 112 | hdrs := map[string]string{ |
| 113 | "X-Forwarded-For": strings.Join([]string{clientAddr.String(), proxyAddr.String()}, ","), |
| 114 | } |
| 115 | |
| 116 | resp := sendTestDoHMessage(t, client, msg, hdrs) |
| 117 | requireResponse(t, msg, resp) |
| 118 | |
| 119 | require.Equal(t, expectedClientIP, gotAddr) |
| 120 | } |
| 121 | |
| 122 | t.Run("success", func(t *testing.T) { |
| 123 | doRequest(t, proxyAddr, clientAddr) |
| 124 | }) |
| 125 | |
| 126 | t.Run("not_in_trusted", func(t *testing.T) { |
| 127 | doRequest(t, netip.MustParseAddr("127.0.0.2"), proxyAddr) |
| 128 | }) |
| 129 | } |
nothing calls this directly
no test coverage detected
searching dependent graphs…