Optionally support X-Forwarded-For in both HTTP and WebSocket transports (fixes #3158) #3160
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Adding the |
|
Merging. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See #3158 for rationale. This patch allows both HTTP and WebSocket transports to optionally inspect the
X-Forwarded-Forheader in requests to check whether or not a request is allowed by the transport's ACL rules. The support is optional and disabled by default to avoid abuses, since spoofing the header is trivial: as such, it should only be configured if a proxy is indeed in front of Janus, it's the only one able to talk to Janus, and there's reasons to filter clients contacting the proxy.I haven't checked if the APIs I used require specific versions of MHD or libwebsockets. I'll wait for our Github Actions to see if the ones we use normally do support them. Feedback welcome, as usual.