From abd6bf060d7d0eaafe192e350ec97905378dc454 Mon Sep 17 00:00:00 2001 From: Klaus Post Date: Fri, 29 Nov 2024 04:55:37 -0800 Subject: [PATCH] Add 'X-Forwarded-For' to (s)FTP requests (#20709) Fixes #20707 --- cmd/ftp-server-driver.go | 10 ++++++++-- cmd/sftp-server-driver.go | 27 ++++++++++++++++++++++++--- cmd/sftp-server.go | 7 ++++++- 3 files changed, 38 insertions(+), 6 deletions(-) diff --git a/cmd/ftp-server-driver.go b/cmd/ftp-server-driver.go index 14df480eb546f..c2418f3eb95e1 100644 --- a/cmd/ftp-server-driver.go +++ b/cmd/ftp-server-driver.go @@ -24,6 +24,8 @@ import ( "errors" "fmt" "io" + "net" + "net/http" "os" "path" "strings" @@ -286,6 +288,10 @@ func (driver *ftpDriver) CheckPasswd(c *ftp.Context, username, password string) } func (driver *ftpDriver) getMinIOClient(ctx *ftp.Context) (*minio.Client, error) { + tr := http.RoundTripper(globalRemoteFTPClientTransport) + if host, _, err := net.SplitHostPort(ctx.Sess.RemoteAddr().String()); err == nil { + tr = forwardForTransport{tr: tr, fwd: host} + } ui, ok := globalIAMSys.GetUser(context.Background(), ctx.Sess.LoginUser()) if !ok && !globalIAMSys.LDAPConfig.Enabled() { return nil, errNoSuchUser @@ -363,7 +369,7 @@ func (driver *ftpDriver) getMinIOClient(ctx *ftp.Context) (*minio.Client, error) return minio.New(driver.endpoint, &minio.Options{ Creds: mcreds, Secure: globalIsTLS, - Transport: globalRemoteFTPClientTransport, + Transport: tr, }) } @@ -377,7 +383,7 @@ func (driver *ftpDriver) getMinIOClient(ctx *ftp.Context) (*minio.Client, error) return minio.New(driver.endpoint, &minio.Options{ Creds: credentials.NewStaticV4(ui.Credentials.AccessKey, ui.Credentials.SecretKey, ""), Secure: globalIsTLS, - Transport: globalRemoteFTPClientTransport, + Transport: tr, }) } diff --git a/cmd/sftp-server-driver.go b/cmd/sftp-server-driver.go index c4c506fe08dee..33ddf6b66f867 100644 --- a/cmd/sftp-server-driver.go +++ b/cmd/sftp-server-driver.go @@ -23,6 +23,7 @@ import ( "errors" "fmt" "io" + "net/http" "os" "path" "strings" @@ -45,6 +46,7 @@ const ftpMaxWriteOffset = 100 << 20 type sftpDriver struct { permissions *ssh.Permissions endpoint string + remoteIP string } //msgp:ignore sftpMetrics @@ -89,8 +91,12 @@ func (m *sftpMetrics) log(s *sftp.Request, user string) func(sz int64, err error // - sftp.Filewrite // - sftp.Filelist // - sftp.Filecmd -func NewSFTPDriver(perms *ssh.Permissions) sftp.Handlers { - handler := &sftpDriver{endpoint: fmt.Sprintf("127.0.0.1:%s", globalMinioPort), permissions: perms} +func NewSFTPDriver(perms *ssh.Permissions, remoteIP string) sftp.Handlers { + handler := &sftpDriver{ + endpoint: fmt.Sprintf("127.0.0.1:%s", globalMinioPort), + permissions: perms, + remoteIP: remoteIP, + } return sftp.Handlers{ FileGet: handler, FilePut: handler, @@ -99,16 +105,31 @@ func NewSFTPDriver(perms *ssh.Permissions) sftp.Handlers { } } +type forwardForTransport struct { + tr http.RoundTripper + fwd string +} + +func (f forwardForTransport) RoundTrip(r *http.Request) (*http.Response, error) { + r.Header.Set("X-Forwarded-For", f.fwd) + return f.tr.RoundTrip(r) +} + func (f *sftpDriver) getMinIOClient() (*minio.Client, error) { mcreds := credentials.NewStaticV4( f.permissions.CriticalOptions["AccessKey"], f.permissions.CriticalOptions["SecretKey"], f.permissions.CriticalOptions["SessionToken"], ) + // Set X-Forwarded-For on all requests. + tr := http.RoundTripper(globalRemoteFTPClientTransport) + if f.remoteIP != "" { + tr = forwardForTransport{tr: tr, fwd: f.remoteIP} + } return minio.New(f.endpoint, &minio.Options{ Creds: mcreds, Secure: globalIsTLS, - Transport: globalRemoteFTPClientTransport, + Transport: tr, }) } diff --git a/cmd/sftp-server.go b/cmd/sftp-server.go index 95a1482a998ea..640caf6057300 100644 --- a/cmd/sftp-server.go +++ b/cmd/sftp-server.go @@ -488,7 +488,12 @@ func startSFTPServer(args []string) { sshConfig.AddHostKey(private) handleSFTPSession := func(channel ssh.Channel, sconn *ssh.ServerConn) { - server := sftp.NewRequestServer(channel, NewSFTPDriver(sconn.Permissions), sftp.WithRSAllocator()) + var remoteIP string + + if host, _, err := net.SplitHostPort(sconn.RemoteAddr().String()); err == nil { + remoteIP = host + } + server := sftp.NewRequestServer(channel, NewSFTPDriver(sconn.Permissions, remoteIP), sftp.WithRSAllocator()) defer server.Close() server.Serve() }