peerIsTrustedProxy reports whether the immediate TCP peer (r.RemoteAddr) is in the configured ZENNOTES_TRUSTED_PROXIES set. Forwarded-* headers are only honoured when this is true.
(r *http.Request)
| 218 | // is in the configured ZENNOTES_TRUSTED_PROXIES set. Forwarded-* headers |
| 219 | // are only honoured when this is true. |
| 220 | func (s *Server) peerIsTrustedProxy(r *http.Request) bool { |
| 221 | cfg := s.currentConfig() |
| 222 | if len(cfg.TrustedProxies) == 0 { |
| 223 | return false |
| 224 | } |
| 225 | host, _, err := net.SplitHostPort(r.RemoteAddr) |
| 226 | if err != nil { |
| 227 | host = r.RemoteAddr |
| 228 | } |
| 229 | ip := net.ParseIP(strings.Trim(host, "[]")) |
| 230 | if ip == nil { |
| 231 | return false |
| 232 | } |
| 233 | for _, n := range cfg.TrustedProxies { |
| 234 | if n.Contains(ip) { |
| 235 | return true |
| 236 | } |
| 237 | } |
| 238 | return false |
| 239 | } |
| 240 | |
| 241 | // effectiveScheme returns "https" if the request is genuinely on TLS or |
| 242 | // arrived through a trusted proxy that declares X-Forwarded-Proto: https. |
no test coverage detected