squidy/qBittorrent
1
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent.git synced 2025-12-31 20:58:07 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add WebUI reverse proxy source IP resolution (#15047)

Browse Source 
Co-authored-by: qix67
Co-authored-by: HiFiPhile <admin@hifiphile.com>
This commit is contained in:
HiFiPhile
2021-06-23 08:01:36 +02:00
committed by GitHub
parent 124cc9621d
commit f5315d9ba7
9 changed files with 165 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/webui/api/appcontroller.cpp
View File

@@ -259,6 +259,9 @@ void AppController::preferencesAction()
// Custom HTTP headers
data["web_ui_use_custom_http_headers_enabled"] = pref->isWebUICustomHTTPHeadersEnabled();
data["web_ui_custom_http_headers"] = pref->getWebUICustomHTTPHeaders();
// Reverse proxy
data["web_ui_reverse_proxy_enabled"] = pref->isWebUIReverseProxySupportEnabled();
data["web_ui_reverse_proxies_list"] = pref->getWebUITrustedReverseProxiesList();
// Update my dynamic domain name
data["dyndns_enabled"] = pref->isDynDNSEnabled();
data["dyndns_service"] = pref->getDynDNSService();
@@ -680,6 +683,11 @@ void AppController::setPreferencesAction()
pref->setWebUICustomHTTPHeadersEnabled(it.value().toBool());
if (hasKey("web_ui_custom_http_headers"))
pref->setWebUICustomHTTPHeaders(it.value().toString());
// Reverse proxy
if (hasKey("web_ui_reverse_proxy_enabled"))
pref->setWebUIReverseProxySupportEnabled(it.value().toBool());
if (hasKey("web_ui_reverse_proxies_list"))
pref->setWebUITrustedReverseProxiesList(it.value().toString());
// Update my dynamic domain name
if (hasKey("dyndns_enabled"))
pref->setDynDNSEnabled(it.value().toBool());

61
src/webui/webapplication.cpp
View File

@@ -404,6 +404,24 @@ void WebApplication::configure()
m_prebuiltHeaders.push_back({header, value});
}
}
m_isReverseProxySupportEnabled = pref->isWebUIReverseProxySupportEnabled();
if (m_isReverseProxySupportEnabled)
{
m_trustedReverseProxyList.clear();
const QStringList proxyList = pref->getWebUITrustedReverseProxiesList().split(';', Qt::SkipEmptyParts);
for (const QString &proxy : proxyList)
{
QHostAddress ip;
if (ip.setAddress(proxy))
m_trustedReverseProxyList.push_back(ip);
}
if (m_trustedReverseProxyList.isEmpty())
m_isReverseProxySupportEnabled = false;
}
}
void WebApplication::registerAPIController(const QString &scope, APIController *controller)
@@ -495,6 +513,9 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
throw UnauthorizedHTTPError();
}
// reverse proxy resolve client address
m_clientAddress = resolveClientAddress();
sessionInitialize();
doProcessRequest();
}
@@ -512,7 +533,7 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
QString WebApplication::clientId() const
{
return env().clientAddress.toString();
return m_clientAddress.toString();
}
void WebApplication::sessionInitialize()
@@ -567,9 +588,9 @@ QString WebApplication::generateSid() const
bool WebApplication::isAuthNeeded()
{
if (!m_isLocalAuthEnabled && Utils::Net::isLoopbackAddress(m_env.clientAddress))
if (!m_isLocalAuthEnabled && Utils::Net::isLoopbackAddress(m_clientAddress))
return false;
if (m_isAuthSubnetWhitelistEnabled && Utils::Net::isIPInRange(m_env.clientAddress, m_authSubnetWhitelist))
if (m_isAuthSubnetWhitelistEnabled && Utils::Net::isIPInRange(m_clientAddress, m_authSubnetWhitelist))
return false;
return true;
}
@@ -705,6 +726,40 @@ bool WebApplication::validateHostHeader(const QStringList &domains) const
return false;
}
QHostAddress WebApplication::resolveClientAddress() const
{
if (!m_isReverseProxySupportEnabled)
return m_env.clientAddress;
// Only reverse proxy can overwrite client address
if (!m_trustedReverseProxyList.contains(m_env.clientAddress))
return m_env.clientAddress;
const QString forwardedFor = m_request.headers.value(Http::HEADER_X_FORWARDED_FOR);
if (!forwardedFor.isEmpty())
{
// client address is the 1st global IP in X-Forwarded-For or, if none available, the 1st IP in the list
const QStringList remoteIpList = forwardedFor.split(',', Qt::SkipEmptyParts);
if (!remoteIpList.isEmpty())
{
QHostAddress clientAddress;
for (const QString &remoteIp : remoteIpList)
{
if (clientAddress.setAddress(remoteIp) && clientAddress.isGlobal())
return clientAddress;
}
if (clientAddress.setAddress(remoteIpList[0]))
return clientAddress;
}
}
return m_env.clientAddress;
}
// WebSession
WebSession::WebSession(const QString &sid)

7
src/webui/webapplication.h
View File

@@ -114,6 +114,8 @@ private:
bool isCrossSiteRequest(const Http::Request &request) const;
bool validateHostHeader(const QStringList &domains) const;
QHostAddress resolveClientAddress() const;
// Persistent data
QHash<QString, WebSession *> m_sessions;
@@ -154,5 +156,10 @@ private:
bool m_isHostHeaderValidationEnabled;
bool m_isHttpsEnabled;
// Reverse proxy
bool m_isReverseProxySupportEnabled;
QVector<QHostAddress> m_trustedReverseProxyList;
QHostAddress m_clientAddress;
QVector<Http::Header> m_prebuiltHeaders;
};

27
src/webui/www/private/views/preferences.html
View File

@@ -838,6 +838,18 @@
</legend>
<textarea id="webUICustomHTTPHeadersTextarea" placeholder="QBT_TR(Header: value pairs, one per line)QBT_TR[CONTEXT=OptionsDialog]" style="width: 90%;"></textarea>
</fieldset>
<fieldset class="settings">
<legend>
<input type="checkbox" id="webUIReverseProxySupportCheckbox" onclick="qBittorrent.Preferences.updateWebUIReverseProxySettings();" />
<label for="webUIReverseProxySupportCheckbox">QBT_TR(Enable reverse proxy support)QBT_TR[CONTEXT=OptionsDialog]</label>
</legend>
<div class="formRow">
<input type="text" id="webUIReverseProxiesListTextarea" />
<label for="webUIReverseProxiesListTextarea" class="leftLabelLarge">QBT_TR(Trusted proxies list:)QBT_TR[CONTEXT=OptionsDialog]</label>
</div>
</fieldset>
</fieldset>
<fieldset class="settings">
@@ -1279,6 +1291,7 @@
updateAlternativeWebUISettings: updateAlternativeWebUISettings,
updateHostHeaderValidationSettings: updateHostHeaderValidationSettings,
updateWebUICustomHTTPHeadersSettings: updateWebUICustomHTTPHeadersSettings,
updateWebUIReverseProxySettings: updateWebUIReverseProxySettings,
updateDynDnsSettings: updateDynDnsSettings,
registerDynDns: registerDynDns,
applyPreferences: applyPreferences
@@ -1511,6 +1524,11 @@
$('webUICustomHTTPHeadersTextarea').setProperty('disabled', !isEnabled);
};
const updateWebUIReverseProxySettings = function() {
const isEnabled = $('webUIReverseProxySupportCheckbox').getProperty('checked');
$('webUIReverseProxiesListTextarea').setProperty('disabled', !isEnabled);
};
const updateDynDnsSettings = function() {
const isDynDnsEnabled = $('use_dyndns_checkbox').getProperty('checked');
$('dyndns_select').setProperty('disabled', !isDynDnsEnabled);
@@ -1886,6 +1904,11 @@
$('webUICustomHTTPHeadersTextarea').setProperty('value', pref.web_ui_custom_http_headers);
updateWebUICustomHTTPHeadersSettings();
// Reverse Proxy
$('webUIReverseProxySupportCheckbox').setProperty('checked', pref.web_ui_reverse_proxy_support_enabled);
$('webUIReverseProxiesListTextarea').setProperty('value', pref.web_ui_trusted_reverse_proxies_list);
updateWebUIReverseProxySettings();
// Update my dynamic domain name
$('use_dyndns_checkbox').setProperty('checked', pref.dyndns_enabled);
$('dyndns_select').setProperty('value', pref.dyndns_service);
@@ -2277,6 +2300,10 @@
settings.set('web_ui_use_custom_http_headers_enabled', $('webUIUseCustomHTTPHeadersCheckbox').getProperty('checked'));
settings.set('web_ui_custom_http_headers', $('webUICustomHTTPHeadersTextarea').getProperty('value'));
// Reverse Proxy
settings.set('web_ui_reverse_proxy_support_enabled', $('webUIReverseProxySupportCheckbox').getProperty('checked'));
settings.set('web_ui_trusted_reverse_proxies_list', $('webUIReverseProxiesListTextarea').getProperty('value'));
// Update my dynamic domain name
settings.set('dyndns_enabled', $('use_dyndns_checkbox').getProperty('checked'));
settings.set('dyndns_service', $('dyndns_select').getProperty('value'));