aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--weed/security/guard.go30
-rw-r--r--weed/server/master_server.go6
2 files changed, 2 insertions, 34 deletions
diff --git a/weed/security/guard.go b/weed/security/guard.go
index a857c8549..a41cb0288 100644
--- a/weed/security/guard.go
+++ b/weed/security/guard.go
@@ -77,34 +77,8 @@ func (g *Guard) WhiteList(f http.HandlerFunc) http.HandlerFunc {
}
func GetActualRemoteHost(r *http.Request) string {
- // Check X-Forwarded-For headers first (may contain comma-separated IPs)
- // HTTP_X_FORWARDED_FOR is used for SeaweedFS internal communication when master proxies to leader
- host := r.Header.Get("HTTP_X_FORWARDED_FOR")
- if host == "" {
- host = r.Header.Get("X-FORWARDED-FOR")
- }
- if host != "" {
- for _, ipStr := range strings.Split(host, ",") {
- host = strings.TrimSpace(ipStr)
- if host != "" {
- break
- }
- }
- }
-
- // If no valid IP from X-Forwarded-For, try X-Real-IP (single IP)
- if host == "" {
- host = r.Header.Get("X-Real-IP")
- }
-
- // If we got a host from headers, use it (can be IP or hostname)
- if host != "" {
- if host = strings.TrimSpace(host); host != "" {
- return host
- }
- }
-
- // If no host from headers, extract from RemoteAddr
+ // For security reasons, only use RemoteAddr to determine the client's IP address.
+ // Do not trust headers like X-Forwarded-For, as they can be easily spoofed by clients.
host, _, err := net.SplitHostPort(r.RemoteAddr)
if err == nil {
return host
diff --git a/weed/server/master_server.go b/weed/server/master_server.go
index 7d0d6f938..52d0f996b 100644
--- a/weed/server/master_server.go
+++ b/weed/server/master_server.go
@@ -257,12 +257,6 @@ func (ms *MasterServer) proxyToLeader(f http.HandlerFunc) http.HandlerFunc {
// proxy to leader
glog.V(4).Infoln("proxying to leader", raftServerLeader)
proxy := httputil.NewSingleHostReverseProxy(targetUrl)
- director := proxy.Director
- proxy.Director = func(req *http.Request) {
- actualHost := security.GetActualRemoteHost(req)
- req.Header.Set("HTTP_X_FORWARDED_FOR", actualHost)
- director(req)
- }
proxy.Transport = util_http.GetGlobalHttpClient().GetClientTransport()
proxy.ServeHTTP(w, r)
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-21 15:00:34 +0000