log real ip of requests from ssh (#21216)
Partially fix #21213. This PR will get client IP address from SSH_CONNECTION env which should be the first field of that. And deliver it to the internal API so Gitea routers could record the real IP from SSH requests. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: zeripath <art27@cantab.net>
This commit is contained in:
parent
c540ee08d3
commit
1428877c37
@ -10,6 +10,8 @@ import (
|
|||||||
"fmt"
|
"fmt"
|
||||||
"net"
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"os"
|
||||||
|
"strings"
|
||||||
|
|
||||||
"code.gitea.io/gitea/modules/httplib"
|
"code.gitea.io/gitea/modules/httplib"
|
||||||
"code.gitea.io/gitea/modules/json"
|
"code.gitea.io/gitea/modules/json"
|
||||||
@ -18,13 +20,14 @@ import (
|
|||||||
"code.gitea.io/gitea/modules/setting"
|
"code.gitea.io/gitea/modules/setting"
|
||||||
)
|
)
|
||||||
|
|
||||||
func newRequest(ctx context.Context, url, method string) *httplib.Request {
|
func newRequest(ctx context.Context, url, method, sourceIP string) *httplib.Request {
|
||||||
if setting.InternalToken == "" {
|
if setting.InternalToken == "" {
|
||||||
log.Fatal(`The INTERNAL_TOKEN setting is missing from the configuration file: %q.
|
log.Fatal(`The INTERNAL_TOKEN setting is missing from the configuration file: %q.
|
||||||
Ensure you are running in the correct environment or set the correct configuration file with -c.`, setting.CustomConf)
|
Ensure you are running in the correct environment or set the correct configuration file with -c.`, setting.CustomConf)
|
||||||
}
|
}
|
||||||
return httplib.NewRequest(url, method).
|
return httplib.NewRequest(url, method).
|
||||||
SetContext(ctx).
|
SetContext(ctx).
|
||||||
|
Header("X-Real-IP", sourceIP).
|
||||||
Header("Authorization", fmt.Sprintf("Bearer %s", setting.InternalToken))
|
Header("Authorization", fmt.Sprintf("Bearer %s", setting.InternalToken))
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -42,8 +45,16 @@ func decodeJSONError(resp *http.Response) *Response {
|
|||||||
return &res
|
return &res
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func getClientIP() string {
|
||||||
|
sshConnEnv := strings.TrimSpace(os.Getenv("SSH_CONNECTION"))
|
||||||
|
if len(sshConnEnv) == 0 {
|
||||||
|
return "127.0.0.1"
|
||||||
|
}
|
||||||
|
return strings.Fields(sshConnEnv)[0]
|
||||||
|
}
|
||||||
|
|
||||||
func newInternalRequest(ctx context.Context, url, method string) *httplib.Request {
|
func newInternalRequest(ctx context.Context, url, method string) *httplib.Request {
|
||||||
req := newRequest(ctx, url, method).SetTLSClientConfig(&tls.Config{
|
req := newRequest(ctx, url, method, getClientIP()).SetTLSClientConfig(&tls.Config{
|
||||||
InsecureSkipVerify: true,
|
InsecureSkipVerify: true,
|
||||||
ServerName: setting.Domain,
|
ServerName: setting.Domain,
|
||||||
})
|
})
|
||||||
|
@ -17,6 +17,7 @@ import (
|
|||||||
"code.gitea.io/gitea/modules/web"
|
"code.gitea.io/gitea/modules/web"
|
||||||
|
|
||||||
"gitea.com/go-chi/binding"
|
"gitea.com/go-chi/binding"
|
||||||
|
chi_middleware "github.com/go-chi/chi/v5/middleware"
|
||||||
)
|
)
|
||||||
|
|
||||||
// CheckInternalToken check internal token is set
|
// CheckInternalToken check internal token is set
|
||||||
@ -57,6 +58,9 @@ func Routes() *web.Route {
|
|||||||
r := web.NewRoute()
|
r := web.NewRoute()
|
||||||
r.Use(context.PrivateContexter())
|
r.Use(context.PrivateContexter())
|
||||||
r.Use(CheckInternalToken)
|
r.Use(CheckInternalToken)
|
||||||
|
// Log the real ip address of the request from SSH is really helpful for diagnosing sometimes.
|
||||||
|
// Since internal API will be sent only from Gitea sub commands and it's under control (checked by InternalToken), we can trust the headers.
|
||||||
|
r.Use(chi_middleware.RealIP)
|
||||||
|
|
||||||
r.Post("/ssh/authorized_keys", AuthorizedPublicKeyByContent)
|
r.Post("/ssh/authorized_keys", AuthorizedPublicKeyByContent)
|
||||||
r.Post("/ssh/{id}/update/{repoid}", UpdatePublicKeyInRepo)
|
r.Post("/ssh/{id}/update/{repoid}", UpdatePublicKeyInRepo)
|
||||||
|
Loading…
Reference in New Issue
Block a user