Skip to content

caddyhttp: Reject 0-RTT early data in IP matchers and set Early-Data header when proxying #6427

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mholt merged 3 commits into from
Jul 5, 2024
Merged

caddyhttp: Reject 0-RTT early data in IP matchers and set Early-Data header when proxying #6427

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fbbf52d
caddyhttp: Reject 0-RTT early data in IP matchers and set Early-Data …
mholt Jul 1, 2024
be7777f
Don't return value for {remote} placeholder in early data
mholt Jul 5, 2024
f6d7e39
Add Caddyfile support
mholt Jul 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions modules/caddyhttp/replacer.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,8 +142,16 @@ func addHTTPVarsToReplacer(repl *caddy.Replacer, req *http.Request, w http.Respo
}
return port, true
case "http.request.remote":
if req.TLS != nil && !req.TLS.HandshakeComplete {
// without a complete handshake (QUIC "early data") we can't trust the remote IP address to not be spoofed
return nil, true
}
return req.RemoteAddr, true
case "http.request.remote.host":
if req.TLS != nil && !req.TLS.HandshakeComplete {
// without a complete handshake (QUIC "early data") we can't trust the remote IP address to not be spoofed
return nil, true
}
host, _, err := net.SplitHostPort(req.RemoteAddr)
if err != nil {
// req.RemoteAddr is host:port for tcp and udp sockets and /unix/socket.path
Expand Down