diff --git a/apisix/plugins/chaitin-waf.lua b/apisix/plugins/chaitin-waf.lua index 6c82c4a70f6b..ed364bb9ab42 100644 --- a/apisix/plugins/chaitin-waf.lua +++ b/apisix/plugins/chaitin-waf.lua @@ -280,7 +280,9 @@ local function get_conf(conf, metadata) t.req_body_size = metadata.config.req_body_size t.keepalive_size = metadata.config.keepalive_size t.keepalive_timeout = metadata.config.keepalive_timeout - t.real_client_ip = metadata.config.real_client_ip or t.real_client_ip + if metadata.config.real_client_ip ~= nil then + t.real_client_ip = metadata.config.real_client_ip + end end if conf.config then @@ -290,7 +292,9 @@ local function get_conf(conf, metadata) t.req_body_size = conf.config.req_body_size t.keepalive_size = conf.config.keepalive_size t.keepalive_timeout = conf.config.keepalive_timeout - t.real_client_ip = conf.config.real_client_ip or t.real_client_ip + if conf.config.real_client_ip ~= nil then + t.real_client_ip = conf.config.real_client_ip + end end t.mode = conf.mode or metadata.mode or t.mode @@ -343,10 +347,11 @@ local function do_access(conf, ctx) end if t.real_client_ip then - t.client_ip = ctx.var.http_x_forwarded_for or ctx.var.remote_addr + t.client_ip = core.request.get_remote_client_ip(ctx) else - t.client_ip = ctx.var.remote_addr + t.client_ip = core.request.get_ip(ctx) end + core.log.info("chaitin-waf client_ip: ", t.client_ip) local start_time = ngx_now() * 1000 local ok, err, result = t1k.do_access(t, false) diff --git a/t/plugin/chaitin-waf.t b/t/plugin/chaitin-waf.t index ebff234ac905..df7f7ed366f5 100644 --- a/t/plugin/chaitin-waf.t +++ b/t/plugin/chaitin-waf.t @@ -405,3 +405,117 @@ hello world X-APISIX-CHAITIN-WAF: yes X-APISIX-CHAITIN-WAF-ACTION: pass X-APISIX-CHAITIN-WAF-STATUS: 200 +--- error_log +chaitin-waf client_ip: 127.0.0.1 +--- no_error_log +chaitin-waf client_ip: 1.2.3.4 + + + +=== TEST 12: real_client_ip = false ignores trusted X-Forwarded-For +--- http_config +real_ip_header X-Forwarded-For; +set_real_ip_from 127.0.0.1; +--- request +GET /hello +--- more_headers +X-Forwarded-For: 192.0.2.10 +trigger: true +--- error_code: 200 +--- error_log +chaitin-waf client_ip: 127.0.0.1 +--- no_error_log +chaitin-waf client_ip: 192.0.2.10 + + + +=== TEST 13: real_client_ip = true prepare +--- config + location /do { + content_by_lua_block { + local t = require("lib.test_admin").test + + local code, body = t('/apisix/admin/plugin_metadata/chaitin-waf', + ngx.HTTP_PUT, + [[{ + "nodes": [ + { + "host": "127.0.0.1", + "port": 8088 + } + ] + }]] + ) + if code >= 300 then + ngx.status = code + return ngx.print(body) + end + + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "methods": ["GET"], + "plugins": { + "chaitin-waf": { + "match": [ + { + "vars": [ + ["http_trigger", "==", "true"] + ] + } + ], + "config": { + "real_client_ip": true + } + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/*" + }]] + ) + if code >= 300 then + ngx.status = code + return ngx.print(body) + end + ngx.say("passed") + } + } +--- response_body +passed + + + +=== TEST 14: client_ip from trusted X-Forwarded-For source +--- http_config +real_ip_header X-Forwarded-For; +set_real_ip_from 127.0.0.1; +--- request +GET /hello +--- more_headers +X-Forwarded-For: 192.0.2.10 +trigger: true +--- error_code: 200 +--- error_log +chaitin-waf client_ip: 192.0.2.10 + + + +=== TEST 15: spoofed X-Forwarded-For from untrusted source is ignored +--- http_config +real_ip_header X-Forwarded-For; +set_real_ip_from 192.0.2.1; +--- request +GET /hello +--- more_headers +X-Forwarded-For: 192.0.2.10 +trigger: true +--- error_code: 200 +--- error_log +chaitin-waf client_ip: 127.0.0.1 +--- no_error_log +chaitin-waf client_ip: 192.0.2.10