mirrors/copyparty
1
0
Fork 0
mirror of https://github.com/9001/copyparty.git synced 2025-08-17 09:02:15 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity

stop recommending --xff-src=any;

Browse source 
running behind cloudflare doesn't necessarily
mean being accessible ONLY through cloudflare

also include a general warning about optimal
configuration for non-cloudflare intermediates
This commit is contained in:
ed 2024-03-09 20:30:20 +00:00
parent 1c011ff0bb
commit 7f08f10c37
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
copyparty/httpcli.py
View file

@ -319,7 +319,9 @@ class HttpCli(object):
if self.args.xff_re and not self.args.xff_re.match(pip): if self.args.xff_re and not self.args.xff_re.match(pip):
t = 'got header "%s" from untrusted source "%s" claiming the true client ip is "%s" (raw value: "%s"); if you trust this, you must allowlist this proxy with "--xff-src=%s"' t = 'got header "%s" from untrusted source "%s" claiming the true client ip is "%s" (raw value: "%s"); if you trust this, you must allowlist this proxy with "--xff-src=%s"'
if self.headers.get("cf-connecting-ip"): if self.headers.get("cf-connecting-ip"):
t += " Alternatively, if you are behind cloudflare, it is better to specify these two instead: --xff-hdr=cf-connecting-ip --xff-src=any" t += ' Note: if you are behind cloudflare, then this default header is not a good choice; please first make sure your local reverse-proxy (if any) does not allow non-cloudflare IPs from providing cf-* headers, and then add this additional global setting: "--xff-hdr=cf-connecting-ip"'
else:
t += ' Note: depending on your reverse-proxy, and/or WAF, and/or other intermediates, you may want to read the true client IP from another header by also specifying "--xff-hdr=SomeOtherHeader"'
zs = ( zs = (
".".join(pip.split(".")[:2]) + "." ".".join(pip.split(".")[:2]) + "."
if "." in pip if "." in pip