fastlyのipも信頼する

cateiru · Feb 18, 2024 · 148ff52 · 148ff52
1 parent 74ac4ae
commit 148ff52
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 3 deletions.
diff --git a/src/config.go b/src/config.go
@@ -10,6 +10,7 @@ import (
 	"github.com/cateiru/cateiru-sso/src/lib"
 	"github.com/go-sql-driver/mysql"
 	"github.com/go-webauthn/webauthn/webauthn"
+	"github.com/labstack/echo/v4"
 	"github.com/labstack/echo/v4/middleware"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
@@ -42,6 +43,9 @@ type Config struct {
 
 	// CORS設定
 	CorsConfig *middleware.CORSConfig
+	// IP設定
+	// ref. https://echo.labstack.com/docs/ip-address
+	IPExtractor echo.IPExtractor
 
 	// CSRF対策
 	// `Sec-Fetch-Site` ヘッダを検証する
@@ -239,7 +243,8 @@ var LocalConfig = &Config{
 		Scheme: "http",
 	},
 
-	CorsConfig: nil,
+	CorsConfig:  nil,
+	IPExtractor: echo.ExtractIPFromXFFHeader(),
 
 	EnableCSRFMeasures: false, // crulから叩きたいケースがあるので無効化する
 
@@ -427,7 +432,8 @@ var CloudRunConfig = &Config{
 		Scheme: "https",
 	},
 
-	CorsConfig: nil,
+	CorsConfig:  nil,
+	IPExtractor: echo.ExtractIPFromXFFHeader(),
 
 	EnableCSRFMeasures: true,
 
@@ -617,6 +623,9 @@ var CloudRunStagingConfig = &Config{
 	},
 
 	CorsConfig: nil,
+	IPExtractor: echo.ExtractIPFromXFFHeader(
+		FastlyTrust()...,
+	),
 
 	EnableCSRFMeasures: true,
 
@@ -803,7 +812,8 @@ var TestConfig = &Config{
 		Scheme: "http",
 	},
 
-	CorsConfig: nil,
+	CorsConfig:  nil,
+	IPExtractor: echo.ExtractIPFromXFFHeader(),
 
 	EnableCSRFMeasures: false,
 

diff --git a/src/fastly.go b/src/fastly.go
@@ -0,0 +1,51 @@
+package src
+
+import (
+	"net"
+
+	"github.com/labstack/echo/v4"
+)
+
+// Fastly のエッジサーバーのIPアドレス一覧
+// TODO: 実行時に毎回APIを叩いて更新できるようにする
+// ref. `curl "https://api.fastly.com/public-ip-list" | jq ".addresses"`
+var fastlyIpAddresses []string = []string{
+	"23.235.32.0/20",
+	"43.249.72.0/22",
+	"103.244.50.0/24",
+	"103.245.222.0/23",
+	"103.245.224.0/24",
+	"104.156.80.0/20",
+	"140.248.64.0/18",
+	"140.248.128.0/17",
+	"146.75.0.0/17",
+	"151.101.0.0/16",
+	"157.52.64.0/18",
+	"167.82.0.0/17",
+	"167.82.128.0/20",
+	"167.82.160.0/20",
+	"167.82.224.0/20",
+	"172.111.64.0/18",
+	"185.31.16.0/22",
+	"199.27.72.0/21",
+	"199.232.0.0/16",
+}
+
+func FastlyTrust() []echo.TrustOption {
+	options := []echo.TrustOption{
+		echo.TrustLoopback(false),   // e.g. ipv4 start with 127.
+		echo.TrustLinkLocal(false),  // e.g. ipv4 start with 169.254
+		echo.TrustPrivateNet(false), // e.g. ipv4 start with 10. or 192.168
+	}
+
+	for _, fastlyIp := range fastlyIpAddresses {
+		_, ipNet, err := net.ParseCIDR(fastlyIp)
+		if err != nil {
+			panic(err)
+		}
+
+		options = append(options, echo.TrustIPRange(ipNet))
+	}
+
+	return options
+}
diff --git a/src/fastly_test.go b/src/fastly_test.go
@@ -0,0 +1,14 @@
+package src_test
+
+import (
+	"testing"
+
+	"github.com/cateiru/cateiru-sso/src"
+	"github.com/stretchr/testify/require"
+)
+
+func TestFastlyTrust(t *testing.T) {
+	trustOptions := src.FastlyTrust()
+
+	require.Len(t, trustOptions, 22)
+}