Trust classicube.net's IP for forwarding real IP in websocket connect…

…ions This is only intended for users connecting through classicube.net's websocket proxy - that way the rest of the server still sees the user's actual IP for e.g. /banip, /info, /clones etc
ClassiCube · Nov 18, 2022 · 63bb8d3 · 63bb8d3
1 parent a554d2d
commit 63bb8d3
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 23 deletions.
diff --git a/MCGalaxy/Drawing/Brushes/GridBrush.cs b/MCGalaxy/Drawing/Brushes/GridBrush.cs
@@ -43,7 +43,7 @@ public override BlockID NextBlock(DrawOp op) {
             int dz = (op.Coords.Z - op.Min.Z) % blocksCount; if (dz < 0) dz += blocksCount;
 
             // On the grid boundary planes
-            if (dx < gridSize || dy < gridSize || dz < gridSize)
+            if (dx < gridSize || dy < gridSize || dz < gridSize) 
             {
                 if (dx < gridSize && dz < gridSize) return gridBlock;
                 if (dx < gridSize && dy < gridSize) return gridBlock;

diff --git a/MCGalaxy/Network/BaseWebSocket.cs b/MCGalaxy/Network/BaseWebSocket.cs
@@ -36,7 +36,7 @@ protected static string ComputeKey(string rawKey) {
         }
 
         protected abstract void OnGotAllHeaders();
-        protected abstract void OnGotHeader(string key, string val);
+        protected abstract void OnGotHeader(string name, string value);
 
         void ProcessHeader(string raw) {
             // end of all headers
@@ -46,15 +46,15 @@ void ProcessHeader(string raw) {
             int sep = raw.IndexOf(':');
             if (sep == -1) return;
 
-            string key = raw.Substring(0, sep);
-            string val = raw.Substring(sep + 1).Trim();
+            string name  = raw.Substring(0, sep);
+            string value = raw.Substring(sep + 1).Trim();
 
-            if (key.CaselessEq("Connection")) {
-                conn    = val.CaselessContains("Upgrade");
-            } else if (key.CaselessEq("Upgrade")) {
-                upgrade = val.CaselessEq("websocket");
+            if (name.CaselessEq("Connection")) {
+                conn    = value.CaselessContains("Upgrade");
+            } else if (name.CaselessEq("Upgrade")) {
+                upgrade = value.CaselessEq("websocket");
             } else {
-                OnGotHeader(key, val);
+                OnGotHeader(name, value);
             }
         }
 
@@ -268,11 +268,11 @@ protected override void OnGotAllHeaders() {
             }
         }
 
-        protected override void OnGotHeader(string key, string val) {
-            if (key.CaselessEq("Sec-WebSocket-Version")) {
-                version = val.CaselessEq("13");
-            } else if (key.CaselessEq("Sec-WebSocket-Key")) {
-                verKey  = val;
+        protected override void OnGotHeader(string name, string value) {
+            if (name.CaselessEq("Sec-WebSocket-Version")) {
+                version = value.CaselessEq("13");
+            } else if (name.CaselessEq("Sec-WebSocket-Key")) {
+                verKey  = value;
             }
         }
 
@@ -315,9 +315,9 @@ protected override void OnGotAllHeaders() {
             }
         }
 
-        protected override void OnGotHeader(string key, string val) {
-            if (key.CaselessEq("Sec-WebSocket-Accept")) {
-                verKey = val;
+        protected override void OnGotHeader(string name, string value) {
+            if (name.CaselessEq("Sec-WebSocket-Accept")) {
+                verKey = value;
             }
         }
 

diff --git a/MCGalaxy/Network/Sockets.cs b/MCGalaxy/Network/Sockets.cs
@@ -309,16 +309,22 @@ protected override void OnDisconnected(int reason) {
 
 
         // Websocket proxying support
-        protected override void OnGotHeader(string key, string val) {
-            base.OnGotHeader(key, val);
+        protected override void OnGotHeader(string name, string value) {
+            base.OnGotHeader(name, value);
 
-            if (key == "X-Real-IP" && IsProxyTrustedIP()) {
-                IPAddress.TryParse(val, out clientIP);
+            if (name == "X-Real-IP" && Server.Config.AllowIPForwarding && IsTrustedForwarderIP()) {
+                Logger.Log(LogType.SystemActivity, "{0} is forwarding a connection from {1}", IP, value);
+                IPAddress.TryParse(value, out clientIP);
             }
         }
 
-        bool IsProxyTrustedIP() {
-            return IPAddress.IsLoopback(IP);
+        // by default the following IPs are trusted for proxying/forwarding connections
+        //  1) loopback (assumed to be a reverse proxy running on the same machine as the server)
+        //  2) classicube.net's websocket proxy IP (used as a fallback for https only connections)
+        static IPAddress ccnetIP = new IPAddress(0xFA05DF22); // 34.223.5.250
+        bool IsTrustedForwarderIP() {
+            IPAddress ip = IP;
+            return IPAddress.IsLoopback(ip) || ip.Equals(ccnetIP);
         }
     }
 }
diff --git a/MCGalaxy/Server/ServerConfig.cs b/MCGalaxy/Server/ServerConfig.cs
@@ -63,6 +63,8 @@ public sealed class ServerConfig : EnvConfig {
 
         [ConfigBool("support-web-client", "Webclient", true)]
         public bool WebClient = true;
+        [ConfigBool("allow-ip-forwarding", "Webclient", true)]
+        public bool AllowIPForwarding = true;
 
         [ConfigString("HeartbeatURL", "Other", "http://www.classicube.net/heartbeat.jsp", false, ":/.,")]
         public string HeartbeatURL = "http://www.classicube.net/heartbeat.jsp";