http: allow disabling TLS, allow reverse proxies, general fixes

2026-04-02 10:45:30 +00:00 · 2023-11-17 18:16:29 +01:00 · 2023-11-17 18:16:29 +01:00 · 923b3637e8
commit 923b3637e8
parent 7b2a7a4f46
18 changed files with 986 additions and 664 deletions
--- a/crates/http/src/config.rs
+++ b/crates/http/src/config.rs
@ -5,13 +5,18 @@ use aquatic_common::{
    privileges::PrivilegeConfig,
 };
 use aquatic_toml_config::TomlConfig;
-use serde::Deserialize;
+use serde::{Deserialize, Serialize};

 use aquatic_common::cli::LogLevel;

+#[derive(Clone, Copy, Debug, PartialEq, Serialize, TomlConfig, Deserialize, Default)]
+#[serde(rename_all = "snake_case")]
+pub enum ReverseProxyPeerIpHeaderFormat {
+    #[default]
+    LastAddress,
+}
+
 /// aquatic_http configuration
-///
-/// Does not support running behind a reverse proxy.
 #[derive(Clone, Debug, PartialEq, TomlConfig, Deserialize)]
 #[serde(default, deny_unknown_fields)]
 pub struct Config {
@ -76,29 +81,55 @@ pub struct NetworkConfig {
    pub only_ipv6: bool,
    /// Maximum number of pending TCP connections
    pub tcp_backlog: i32,
-    /// Path to TLS certificate (DER-encoded X.509)
+    /// Enable TLS
    ///
    /// The TLS files are read on start and when the program receives `SIGUSR1`.
    /// If initial parsing fails, the program exits. Later failures result in
    /// in emitting of an error-level log message, while successful updates
    /// result in emitting of an info-level log message. Updates only affect
    /// new connections.
+    pub enable_tls: bool,
+    /// Path to TLS certificate (DER-encoded X.509)
    pub tls_certificate_path: PathBuf,
    /// Path to TLS private key (DER-encoded ASN.1 in PKCS#8 or PKCS#1 format)
    pub tls_private_key_path: PathBuf,
    /// Keep connections alive after sending a response
    pub keep_alive: bool,
+    /// Does tracker run behind reverse proxy?
+    ///
+    /// MUST be set to false if not running behind reverse proxy.
+    ///
+    /// If set to true, make sure that reverse_proxy_ip_header_name and
+    /// reverse_proxy_ip_header_format are set to match your reverse proxy
+    /// setup.
+    ///
+    /// More info on what can go wrong when running behind reverse proxies:
+    /// https://adam-p.ca/blog/2022/03/x-forwarded-for/
+    pub runs_behind_reverse_proxy: bool,
+    /// Name of header set by reverse proxy to indicate peer ip
+    pub reverse_proxy_ip_header_name: String,
+    /// How to extract peer IP from header field
+    ///
+    /// Options:
+    /// - last_address: use the last address in the last instance of the
+    ///   header. Works with typical multi-IP setups (e.g., "X-Forwarded-For")
+    ///   as well as for single-IP setups (e.g., nginx "X-Real-IP")
+    pub reverse_proxy_ip_header_format: ReverseProxyPeerIpHeaderFormat,
 }

 impl Default for NetworkConfig {
    fn default() -> Self {
        Self {
            address: SocketAddr::from(([0, 0, 0, 0], 3000)),
+            enable_tls: false,
            tls_certificate_path: "".into(),
            tls_private_key_path: "".into(),
            only_ipv6: false,
            tcp_backlog: 1024,
            keep_alive: true,
+            runs_behind_reverse_proxy: false,
+            reverse_proxy_ip_header_name: "X-Forwarded-For".into(),
+            reverse_proxy_ip_header_format: Default::default(),
        }
    }
 }