Add capability of specifying "trusted_proxies" entries in CIDR notation (IPv4)

[olivermg]

This enhances the handling of "trusted_proxies" config param. It adds the capability to define IPv4 ranges in CIDR notation (e.g. 192.168.0.0/24) instead of just single IP addresses as before.

Fixes #6550

[olivermg]

I may be wrong, but I don't think the check failed because of this PR's changes:

https://drone.nextcloud.com/nextcloud/server/11837/284

[rullzer]

Cool stuff.

Could you add ipv6 support as well. As that will now fail hard I think

[kesselb]

Good work! If you need some inspiration how to solve it with ipv6 you could look at https://github.com/symfony/http-foundation/blob/3.4/IpUtils.php

[olivermg]

Could you add ipv6 support as well. As that will now fail hard I think

Sure, I'll look into that, although I don't see a reason why it should fail right now, as the regex at
https://github.com/nextcloud/server/pull/12036/files#diff-3e4cca42108ce6a5b5592a58e1dae481R606
just won't match IPv6 addresses. Thus it would compare the unaltered values of $remoteAddress and $trustedProxy which should be the exact same behaviour as before.

Nevertheless, I'll do two things:

• add a handful of tests for IPv6 addresses to RequestTest.php to validate that it doesn't currently fail for IPv6 addresses
• look into whether I can implement the same functionality regarding CIDR notation for IPv6 addresses

[olivermg]

Could you add ipv6 support as well. As that will now fail hard I think

Okay, I think I see now. You are probably referring to that it would fail when using CIDR notation for IPv6 addresses. That's correct of course. I'm aware that the current/initial implementation only works for IPv4. I should probably have made that clear in the PR subject. My bad.

However, I'm working on adding IPv6 too, so I'll add it to this PR as soon as it's done.

[rullzer]

@olivermg ah I see now that ipv6 proxies would have just worked just not with CIDR notation.

We could also get this is soon and then work on ipv6 CIDR later?
Or are you close to finishing ipv6?

[olivermg]

@olivermg ah I see now that ipv6 proxies would have just worked just not with CIDR notation.

Yeah, that is what I meant earlier. The behaviour for IPv6 addresses should not change at all with this PR (i.e. it should not introduce a regression).

We could also get this is soon and then work on ipv6 CIDR later?
Or are you close to finishing ipv6?

Sure, just go ahead and merge if that's ok for you. I'll open another PR for IPv6.

I'm working on it but it'll take a bit more effort as I'm introducing new classes for that, in order to not pollute the Request class too much with all that IP/netmask calculations stuff.

[rullzer]

Could you squash your commits into 1?

[rullzer]

Could you remove this for now?

[rullzer]

And this

[olivermg]

Sure, done.

[MorrisJobke]

Code makes sense, tested and works 👍

[MorrisJobke]

@olivermg Thanks for your contribution - feel free to have a look at other small issues in our issue tracker: https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22

And welcome to the community 🎉

[olivermg]

@olivermg Thanks for your contribution - feel free to have a look at other small issues in our issue tracker: https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22

And welcome to the community 🎉

Thanks a lot :-)

I'm glad I could contribute something hopefully useful.

[MorrisJobke]

CI failure is unrelated -> merging.

[kesselb]

@olivermg

server/config/config.sample.php

Lines 1499 to 1506 in 3eb5ac9

	/**
	* List of trusted proxy servers
	*
	* If you configure these also consider setting `forwarded_for_headers` which
	* otherwise defaults to `HTTP_X_FORWARDED_FOR` (the `X-Forwarded-For` header).
	* Defaults to an empty array.
	*/
	'trusted_proxies' => array('203.0.113.45', '198.51.100.128'),

when you have time you could add some notes about cidr as comment. @MorrisJobke has a magic tool to generate this file https://github.com/nextcloud/documentation/blob/master/admin_manual/configuration_server/config_sample_php_parameters.rst from config.sample.php 🚀

[olivermg]

Yes, I'll add some samples/documentation for CIDR to that config.sample.php. Great idea 😃 .

[olivermg]

Regarding the documentation in config.sample.php, I've opened PR #12145

[MorrisJobke]

Its also not that magic. It’s a script that runs daily and updates the documentation automatically;)