From 9f9f32cfba80aed72b60a9cdb1585e871a693882 Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Tue, 2 Jan 2024 15:28:26 +0100 Subject: [PATCH 1/2] Avoid Optional[Array] = undef in remoteip.conf.erb By defaulting to an empty array and handling that the code is simplified. --- templates/mod/remoteip.conf.epp | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/templates/mod/remoteip.conf.epp b/templates/mod/remoteip.conf.epp index 439de12f68..6f2e67d0cc 100644 --- a/templates/mod/remoteip.conf.epp +++ b/templates/mod/remoteip.conf.epp @@ -1,17 +1,17 @@ <%- | String $header, - Optional[Array[Stdlib::Host]] $internal_proxy = undef, + Array[Stdlib::Host] $internal_proxy = [], Optional[Stdlib::Absolutepath] $internal_proxy_list = undef, Optional[String] $proxies_header = undef, Boolean $proxy_protocol = undef, - Optional[Array[Stdlib::Host]] $proxy_protocol_exceptions = undef, - Optional[Array[Stdlib::IP::Address]] $trusted_proxy = undef, + Array[Stdlib::Host] $proxy_protocol_exceptions = [], + Array[Stdlib::IP::Address] $trusted_proxy = [], Optional[Stdlib::Absolutepath] $trusted_proxy_list = undef, | -%> # Declare the header field which should be parsed for useragent IP addresses RemoteIPHeader <%= $header %> -<%- if $internal_proxy { -%> +<%- unless $internal_proxy.empty { -%> # Declare client intranet IP addresses trusted to present # the RemoteIPHeader value <%- $internal_proxy.each |$proxy| { -%> @@ -32,13 +32,11 @@ RemoteIPProxiesHeader <%= $proxies_header %> RemoteIPProxyProtocol On <%- } -%> -<%- if $proxy_protocol_exceptions { -%> -<%- $proxy_protocol_exceptions.each |$exception| { -%> +<%- $proxy_protocol_exceptions.each |$exception| { -%> RemoteIPProxyProtocolExceptions <%= $exception %> -<%- } -%> <%- } -%> -<%- if $trusted_proxy { -%> +<%- unless $trusted_proxy.empty { -%> # Declare client intranet IP addresses trusted to present # the RemoteIPHeader value <%- $trusted_proxy.each |$proxy| { -%> From 6168ce0f86814d8f6d2b6cc444e85d10fcef22a2 Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Tue, 2 Jan 2024 15:29:31 +0100 Subject: [PATCH 2/2] Remove deprecated $proxy_ips and $trusted_proxy_ips parameters --- REFERENCE.md | 24 +++------------------- manifests/mod/remoteip.pp | 32 ++++------------------------- spec/classes/mod/remoteip_spec.rb | 34 ------------------------------- 3 files changed, 7 insertions(+), 83 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index ba80e4391b..77e0c6ff12 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -5720,13 +5720,11 @@ The following parameters are available in the `apache::mod::remoteip` class: * [`header`](#-apache--mod--remoteip--header) * [`internal_proxy`](#-apache--mod--remoteip--internal_proxy) -* [`proxy_ips`](#-apache--mod--remoteip--proxy_ips) * [`internal_proxy_list`](#-apache--mod--remoteip--internal_proxy_list) * [`proxies_header`](#-apache--mod--remoteip--proxies_header) * [`proxy_protocol`](#-apache--mod--remoteip--proxy_protocol) * [`proxy_protocol_exceptions`](#-apache--mod--remoteip--proxy_protocol_exceptions) * [`trusted_proxy`](#-apache--mod--remoteip--trusted_proxy) -* [`trusted_proxy_ips`](#-apache--mod--remoteip--trusted_proxy_ips) * [`trusted_proxy_list`](#-apache--mod--remoteip--trusted_proxy_list) ##### `header` @@ -5739,22 +5737,14 @@ Default value: `'X-Forwarded-For'` ##### `internal_proxy` -Data type: `Optional[Array[Stdlib::Host]]` +Data type: `Array[Stdlib::Host]` A list of IP addresses, IP blocks or hostname that are trusted to set a -valid value inside specified header. Unlike the `$trusted_proxy_ips` +valid value inside specified header. Unlike the `$trusted_proxy` parameter, any IP address (including private addresses) presented by these proxies will trusted by `mod_remoteip`. -Default value: `undef` - -##### `proxy_ips` - -Data type: `Optional[Array[Stdlib::Host]]` - -*Deprecated*: use `$internal_proxy` instead. - -Default value: `undef` +Default value: `['127.0.0.1']` ##### `internal_proxy_list` @@ -5805,14 +5795,6 @@ any private IP presented by these proxies will be disgarded by Default value: `undef` -##### `trusted_proxy_ips` - -Data type: `Optional[Array[Stdlib::Host]]` - -*Deprecated*: use `$trusted_proxy` instead. - -Default value: `undef` - ##### `trusted_proxy_list` Data type: `Optional[Stdlib::Absolutepath]` diff --git a/manifests/mod/remoteip.pp b/manifests/mod/remoteip.pp index 9435e00f20..800db0b4a7 100644 --- a/manifests/mod/remoteip.pp +++ b/manifests/mod/remoteip.pp @@ -8,13 +8,10 @@ # # @param internal_proxy # A list of IP addresses, IP blocks or hostname that are trusted to set a -# valid value inside specified header. Unlike the `$trusted_proxy_ips` +# valid value inside specified header. Unlike the `$trusted_proxy` # parameter, any IP address (including private addresses) presented by these # proxies will trusted by `mod_remoteip`. # -# @param proxy_ips -# *Deprecated*: use `$internal_proxy` instead. -# # @param internal_proxy_list # The path to a file containing a list of IP addresses, IP blocks or hostname # that are trusted to set a valid value inside the specified header. See @@ -39,9 +36,6 @@ # any private IP presented by these proxies will be disgarded by # `mod_remoteip`. # -# @param trusted_proxy_ips -# *Deprecated*: use `$trusted_proxy` instead. -# # @param trusted_proxy_list # The path to a file containing a list of IP addresses, IP blocks or hostname # that are trusted to set a valid value inside the specified header. See @@ -51,44 +45,26 @@ # class apache::mod::remoteip ( String $header = 'X-Forwarded-For', - Optional[Array[Stdlib::Host]] $internal_proxy = undef, - Optional[Array[Stdlib::Host]] $proxy_ips = undef, + Array[Stdlib::Host] $internal_proxy = ['127.0.0.1'], Optional[Stdlib::Absolutepath] $internal_proxy_list = undef, Optional[String] $proxies_header = undef, Boolean $proxy_protocol = false, Optional[Array[Stdlib::Host]] $proxy_protocol_exceptions = undef, Optional[Array[Stdlib::Host]] $trusted_proxy = undef, - Optional[Array[Stdlib::Host]] $trusted_proxy_ips = undef, Optional[Stdlib::Absolutepath] $trusted_proxy_list = undef, ) { include apache - if $proxy_ips { - deprecation('apache::mod::remoteip::proxy_ips', 'This parameter is deprecated, please use `internal_proxy`.') - $_internal_proxy = $proxy_ips - } elsif $internal_proxy { - $_internal_proxy = $internal_proxy - } else { - $_internal_proxy = ['127.0.0.1'] - } - - if $trusted_proxy_ips { - deprecation('apache::mod::remoteip::trusted_proxy_ips', 'This parameter is deprecated, please use `trusted_proxy`.') - $_trusted_proxy = $trusted_proxy_ips - } else { - $_trusted_proxy = $trusted_proxy - } - ::apache::mod { 'remoteip': } $template_parameters = { header => $header, - internal_proxy => $_internal_proxy, + internal_proxy => $internal_proxy, internal_proxy_list => $internal_proxy_list, proxies_header => $proxies_header, proxy_protocol => $proxy_protocol, proxy_protocol_exceptions => $proxy_protocol_exceptions, - trusted_proxy => $_trusted_proxy, + trusted_proxy => $trusted_proxy, trusted_proxy_list => $trusted_proxy_list, } diff --git a/spec/classes/mod/remoteip_spec.rb b/spec/classes/mod/remoteip_spec.rb index 2ab7ee72aa..64847927e2 100644 --- a/spec/classes/mod/remoteip_spec.rb +++ b/spec/classes/mod/remoteip_spec.rb @@ -46,31 +46,6 @@ it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPInternalProxy fd00:fd00:fd00:2000::/64$}) } end - describe 'with proxy_ips => [ 10.42.17.8, 10.42.18.99 ]' do - let :params do - { proxy_ips: ['10.42.17.8', '10.42.18.99'] } - end - - it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPInternalProxy 10.42.17.8$}) } - it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPInternalProxy 10.42.18.99$}) } - end - - describe 'with IPv4 CIDR in proxy_ips => [ 192.168.1.0/24 ]' do - let :params do - { proxy_ips: ['192.168.1.0/24'] } - end - - it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPInternalProxy 192.168.1.0/24$}) } - end - - describe 'with IPv6 CIDR in proxy_ips => [ fd00:fd00:fd00:2000::/64 ]' do - let :params do - { proxy_ips: ['fd00:fd00:fd00:2000::/64'] } - end - - it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPInternalProxy fd00:fd00:fd00:2000::/64$}) } - end - describe 'with trusted_proxy => [ 10.42.17.8, 10.42.18.99 ]' do let :params do { trusted_proxy: ['10.42.17.8', '10.42.18.99'] } @@ -80,15 +55,6 @@ it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPTrustedProxy 10.42.18.99$}) } end - describe 'with trusted_proxy_ips => [ 10.42.17.8, 10.42.18.99 ]' do - let :params do - { trusted_proxy: ['10.42.17.8', '10.42.18.99'] } - end - - it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPTrustedProxy 10.42.17.8$}) } - it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPTrustedProxy 10.42.18.99$}) } - end - describe 'with proxy_protocol_exceptions => [ 10.42.17.8, 10.42.18.99 ]' do let :params do { proxy_protocol_exceptions: ['10.42.17.8', '10.42.18.99'] }