diff --git a/internal/dnsforward/config.go b/internal/dnsforward/config.go index 3834f79d..0c1ca017 100644 --- a/internal/dnsforward/config.go +++ b/internal/dnsforward/config.go @@ -98,10 +98,10 @@ type FilteringConfig struct { AllowedClients []string `yaml:"allowed_clients"` // IP addresses of whitelist clients DisallowedClients []string `yaml:"disallowed_clients"` // IP addresses of clients that should be blocked BlockedHosts []string `yaml:"blocked_hosts"` // hosts that should be blocked - // TrustedProxies is the list of IP addresses and CIDR networks to - // detect proxy servers addresses the DoH requests from which should be - // handled. The value of nil or an empty slice for this field makes - // Proxy not trust any address. + // TrustedProxies is the list of IP addresses and CIDR networks to detect + // proxy servers addresses the DoH requests from which should be handled. + // The value of nil or an empty slice for this field makes Proxy not trust + // any address. TrustedProxies []string `yaml:"trusted_proxies"` // DNS cache settings diff --git a/internal/home/auth.go b/internal/home/auth.go index 26a807a9..58058519 100644 --- a/internal/home/auth.go +++ b/internal/home/auth.go @@ -404,8 +404,8 @@ func realIP(r *http.Request) (ip net.IP, err error) { return ip, nil } - // When everything else fails, just return the remote address as - // understood by the stdlib. + // When everything else fails, just return the remote address as understood + // by the stdlib. ipStr, err := netutil.SplitHost(r.RemoteAddr) if err != nil { return nil, fmt.Errorf("getting ip from client addr: %w", err) @@ -424,7 +424,8 @@ func handleLogin(w http.ResponseWriter, r *http.Request) { } var remoteAddr string - // The realIP couldn't be used here due to security issues. + // realIP cannot be used here without taking TrustedProxies into accound due + // to security issues. // // See https://github.com/AdguardTeam/AdGuardHome/issues/2799. // @@ -438,13 +439,7 @@ func handleLogin(w http.ResponseWriter, r *http.Request) { if blocker := Context.auth.blocker; blocker != nil { if left := blocker.check(remoteAddr); left > 0 { w.Header().Set("Retry-After", strconv.Itoa(int(left.Seconds()))) - aghhttp.Error( - r, - w, - http.StatusTooManyRequests, - "auth: blocked for %s", - left, - ) + aghhttp.Error(r, w, http.StatusTooManyRequests, "auth: blocked for %s", left) return } @@ -458,17 +453,18 @@ func handleLogin(w http.ResponseWriter, r *http.Request) { return } + // Use realIP here, since this IP address is only used for logging. + ip, err := realIP(r) + if err != nil { + log.Error("auth: getting real ip from request: %s", err) + } else if ip == nil { + // Technically shouldn't happen. + log.Error("auth: unknown ip") + } + if len(cookie) == 0 { - var ip net.IP - ip, err = realIP(r) - if err != nil { - log.Info("auth: getting real ip from request: %s", err) - } else if ip == nil { - // Technically shouldn't happen. - log.Info("auth: failed to login user %q from unknown ip", req.Name) - } else { - log.Info("auth: failed to login user %q from ip %q", req.Name, ip) - } + log.Info("auth: failed to login user %q from ip %v", req.Name, ip) + time.Sleep(1 * time.Second) http.Error(w, "invalid username or password", http.StatusBadRequest) @@ -476,11 +472,13 @@ func handleLogin(w http.ResponseWriter, r *http.Request) { return } - w.Header().Set("Set-Cookie", cookie) + log.Info("auth: user %q successfully logged in from ip %v", req.Name, ip) - w.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate, proxy-revalidate") - w.Header().Set("Pragma", "no-cache") - w.Header().Set("Expires", "0") + h := w.Header() + h.Set("Set-Cookie", cookie) + h.Set("Cache-Control", "no-store, no-cache, must-revalidate, proxy-revalidate") + h.Set("Pragma", "no-cache") + h.Set("Expires", "0") aghhttp.OK(w) }