Merge pull request #466 from redpwn/feat/proxy-trust-config

feat(server): add config option for proxy trust

Author: chen-robert

docs/content/configuration.md

@@ -73,6 +73,8 @@ Configuration for advanced users - sane defaults are automatically set by the in
 YAML/JSON name|environment name|required|default value|type|description
 -|-|-|-|-|-
 `tokenKey`|`RCTF_TOKEN_KEY`|yes|_(none)_|string|base64 encoded 32 byte key used for encrypting tokens
+`proxy.cloudflare`|_(none)_|yes|`false`|boolean|whether or not rCTF is behind Cloudflare; if `true`, do not use `proxy.trust`
+`proxy.trust`|_(none)_|yes|`false`|boolean, string, string array, or integer|X-Forwarded-For trust: the trust parameter to [proxy-addr](https://www.npmjs.com/package/proxy-addr)
 `loginTimeout`|`RCTF_LOGIN_TIMEOUT`|yes|3600000|integer|lifetime of registration, email update, and recovery links, in milliseconds
 `userMembers`|`RCTF_USER_MEMBERS`|yes|`true`|boolean|whether to allow a user to provide emails for individual members 
 `database.migrate`|`RCTF_DATABASE_MIGRATE`|yes|`never`|`before | only | never`|how to run postgreSQL migrations. [documentation](management/migration.md)

server/app.js

@@ -3,11 +3,13 @@ import fastify from 'fastify'
 import fastifyStatic from 'fastify-static'
 import helmet from 'fastify-helmet'
 import hyperid from 'hyperid'
+import config from './config/server'
 import { serveIndex, getRealIp } from './util'
 import { init as uploadProviderInit } from './uploads'
 import api, { logSerializers as apiLogSerializers } from './api'
 
 const app = fastify({
+  trustProxy: config.proxy.trust,
   logger: {
     level: process.env.NODE_ENV === 'production' ? 'info' : 'debug',
     serializers: {

server/config/server.ts

@@ -39,6 +39,12 @@ export type ServerConfig = {
   tokenKey: string;
   origin: string;
 
+  // TODO: enforce `trust` is false when `cloudflare` is true
+  proxy: {
+    cloudflare: boolean
+    trust: boolean | string | string[] | number
+  }
+
   ctftime?: {
     clientId: string;
     clientSecret: string;
@@ -166,6 +172,10 @@ const defaultConfig: PartialDeep<ServerConfig> = {
   uploadProvider: {
     name: 'uploads/local'
   },
+  proxy: {
+    cloudflare: false,
+    trust: false
+  },
   meta: {
     description: '',
     imageUrl: ''

server/util/index.ts

@@ -1,3 +1,4 @@
+import config from '../config/server'
 import clientConfig from '../config/client'
 import { promises as fs } from 'fs'
 import mustache from 'mustache'
@@ -39,9 +40,19 @@ export const serveIndex: FastifyPluginAsync<{ indexPath: string; }> = async (fas
   fastify.setNotFoundHandler(routeHandler)
 }
 
+const getFastifyIp = (req: FastifyRequest): string =>
+  // Use `get` on req.__proto__ since this function is used in req's getter
+  Reflect.get(Object.getPrototypeOf(req), 'ip', req) as typeof req.ip
+
 // Parse Cloudflare CF-Connecting-IP header
-export const getRealIp = (req: FastifyRequest): string => {
-  // Use `get` on req.__proto__ since getRealIp is used in req's getter
-  return req.headers['cf-connecting-ip'] as string ||
-    Reflect.get(Object.getPrototypeOf(req), 'ip', req) as string
+const getCloudflareIp = (req: FastifyRequest): string | undefined =>
+  req.headers['cf-connecting-ip'] as string | undefined
+
+let getRealIp: (req: FastifyRequest) => string = getFastifyIp
+
+if (config.proxy.cloudflare) {
+  getRealIp = (req: FastifyRequest): string =>
+    getCloudflareIp(req) || getFastifyIp(req)
 }
+
+export { getRealIp }