Allow to set trusted proxies via .env file APP_TRUSTED_PROXIES parame…

…ter - closes freescout-help-desk#1994
avenjamin · Jul 17, 2023 · 71fb3b1 · 71fb3b1
1 parent 2b9f56b
commit 71fb3b1
Show file tree

Hide file tree

Showing 3 changed files with 90 additions and 9 deletions.
diff --git a/.env.example b/.env.example
@@ -26,6 +26,11 @@ APP_URL=https://example.com
 # Comment it to use default timezone from php.ini
 #APP_TIMEZONE=Europe/London
 
+# Comma separated list of trusted proxies for proper IP detection in FreeScout.
+# To trust all proxies that connect to your server use single asterisk: *
+# To trust ALL proxies, including those that are in a chain of forwarding use double asterisk: **
+#APP_TRUSTED_PROXIES=192.168.1.1,192.168.1.2,192.168.1.3
+
 DB_CONNECTION=mysql
 DB_HOST=localhost
 DB_PORT=3306

diff --git a/app/Http/Middleware/HttpsRedirect.php b/app/Http/Middleware/HttpsRedirect.php
@@ -18,20 +18,22 @@ class HttpsRedirect {
      *
      * @var array
      */
-    protected $headers = [
-        Request::HEADER_FORWARDED         => 'FORWARDED',
-        Request::HEADER_X_FORWARDED_FOR   => 'X_FORWARDED_FOR',
-        Request::HEADER_X_FORWARDED_HOST  => 'X_FORWARDED_HOST',
-        Request::HEADER_X_FORWARDED_PORT  => 'X_FORWARDED_PORT',
-        Request::HEADER_X_FORWARDED_PROTO => 'X_FORWARDED_PROTO',
-    ];
+    // protected $headers = [
+    //     Request::HEADER_FORWARDED         => 'FORWARDED',
+    //     Request::HEADER_X_FORWARDED_FOR   => 'X_FORWARDED_FOR',
+    //     Request::HEADER_X_FORWARDED_HOST  => 'X_FORWARDED_HOST',
+    //     Request::HEADER_X_FORWARDED_PORT  => 'X_FORWARDED_PORT',
+    //     Request::HEADER_X_FORWARDED_PROTO => 'X_FORWARDED_PROTO',
+    // ];
 
     public function handle($request, Closure $next)
     {
         if (\Helper::isHttps()) {
-            $request->setTrustedProxies( [ $request->getClientIp() ], array_keys($this->headers)); 
+            //$request->setTrustedProxies( [ $request->getClientIp() ], array_keys($this->headers)); 
 
-            if (!$request->secure() && strtolower($_SERVER['HTTPS'] ?? '') != 'on' 
+            if (//!$request->secure()
+                !in_array(strtolower($_SERVER['X_FORWARDED_PROTO'] ?? ''), array('https', 'on', 'ssl', '1'), true)
+                && strtolower($_SERVER['HTTPS'] ?? '') != 'on' 
                 && ($_SERVER['HTTP_X_FORWARDED_PROTO'] ?? '') != 'https'
                 && ($_SERVER['HTTP_CF_VISITOR'] ?? '') != '{"scheme":"https"}'
             ) {

diff --git a/config/trustedproxy.php b/config/trustedproxy.php
@@ -0,0 +1,74 @@
+<?php
+
+return [
+
+    /*
+     * Set trusted proxy IP addresses.
+     *
+     * Both IPv4 and IPv6 addresses are
+     * supported, along with CIDR notation.
+     *
+     * The "*" character is syntactic sugar
+     * within TrustedProxy to trust any proxy
+     * that connects directly to your server,
+     * a requirement when you cannot know the address
+     * of your proxy (e.g. if using Rackspace balancers).
+     *
+     * The "**" character is syntactic sugar within
+     * TrustedProxy to trust not just any proxy that
+     * connects directly to your server, but also
+     * proxies that connect to those proxies, and all
+     * the way back until you reach the original source
+     * IP. It will mean that $request->getClientIp()
+     * always gets the originating client IP, no matter
+     * how many proxies that client's request has
+     * subsequently passed through.
+     */
+    // 'proxies' => [
+    //     '192.168.1.10',
+    // ],
+    'proxies' => preg_match("#^\*{1,2}$#", env('APP_TRUSTED_PROXIES', '')) 
+                ? env('APP_TRUSTED_PROXIES', '') 
+                : explode(',', env('APP_TRUSTED_PROXIES', '')),
+
+    /*
+     * Or, to trust all proxies that connect
+     * directly to your server, uncomment this:
+     */
+     # 'proxies' => '*',
+
+    /*
+     * Or, to trust ALL proxies, including those that
+     * are in a chain of forwarding, uncomment this:
+    */
+    # 'proxies' => '**',
+
+    /*
+     * Default Header Names
+     *
+     * Change these if the proxy does
+     * not send the default header names.
+     *
+     * Note that headers such as X-Forwarded-For
+     * are transformed to HTTP_X_FORWARDED_FOR format.
+     *
+     * The following are Symfony defaults, found in
+     * \Symfony\Component\HttpFoundation\Request::$trustedHeaders
+     *
+     * You may optionally set headers to 'null' here if you'd like
+     * for them to be considered untrusted instead. Ex:
+     *
+     * Illuminate\Http\Request::HEADER_CLIENT_HOST  => null,
+     * 
+     * WARNING: If you're using AWS Elastic Load Balancing or Heroku,
+     * the FORWARDED and X_FORWARDED_HOST headers should be set to null 
+     * as they are currently unsupported there.
+     */
+    'headers' => [
+        (defined('Illuminate\Http\Request::HEADER_FORWARDED') ? Illuminate\Http\Request::HEADER_FORWARDED : 'forwarded') => 'FORWARDED',
+        Illuminate\Http\Request::HEADER_CLIENT_IP    => 'X_FORWARDED_FOR',
+        Illuminate\Http\Request::HEADER_CLIENT_HOST  => 'X_FORWARDED_HOST',
+        Illuminate\Http\Request::HEADER_CLIENT_PROTO => 'X_FORWARDED_PROTO',
+        Illuminate\Http\Request::HEADER_CLIENT_PORT  => 'X_FORWARDED_PORT',
+    ]
+];