Fix: Add support for running CHProxy behind another proxy

[Blokje5]

Description

This PR adds a few new server settings: proxy.enable & proxy.header. proxy.enable adds enables the proxy middleware, which by default fetches the IP from well known proxy headers (X-Forwarded-For, X-Real-Ip, Forwarded). It will assume the first IP in the chain (if there are multiple) is the actual client IP. If proxy.header is set to a string, instead the proxy middleware will try to find a header that mathes that string (e.g. X-My-Proxy-Header).

Fixes #216

Pull request type

Please check the type of change your PR introduces:

• Bugfix
• Feature
• Code style update (formatting, renaming)
• Refactoring (no functional changes, no api changes)
• Build related changes
• Documentation content changes
• Other (please describe):

Checklist

• Linter passes correctly
• Add tests which fail without the change (if possible)
• All tests passing
• Extended the README / documentation, if necessary

Does this introduce a breaking change?

• Yes
• No

Further comments

There are some points of note:

• I have assumed everywhere that the first IP in the chain is the real client IP. For most use cases of CHProxy this will most likely be the right call. I guess documenting the behaviour is the way to go?
• in the an.Contains method, we now ignore the fact that a RemoteAddr might not contain a port. We could try to fetch this information from other headers (e.g. X-Forwarded-Port) but we didn't seem to use the port anyway.
• For custom headers I directly use the information stored in the header. This can go wrong if the custom header uses a custom scheme as well (e.g. IP string list, something similar to the forwarded header). But to support all edge cases, we would most likely need to support custom middleware.
• Right now I ignore all other proxy related headers and assume that the only thing the proxy changes on the request is the IP. This is not true for all proxies, but will suffice for most.

The main takeaway is that we won't be able to solve all possible use cases, however this should provide decent "default" behaviour for running CHProxy behind another proxy or load balancer.

[mga-chka]

I might miss something but were do you check in this test that the remote addr is modified?

Also, you should add the test that when the proxy is disabled, nothing is changed

[Blokje5]

The test works because allowed_networks: ["10.0.0.0/24"] is set in the config. It would return a 403 if the remote addr wasn't modified.

The proxy disabled setting should be covered by the other tests (as the middleware is always used).

[Blokje5]

I noticed an issue in the tests (I still need to update the PR). The test worked well in isolation but failed when I run all the tests:

The tests rely on creating a net.Listener to listenAndServe which wraps the listener in a server handling connections. To end the tests, the net.Listener is closed. However closing the net.Listener doesn't immediately close the server. If instead I make the http.Server available to the tests and call Shutdown the issue is removed. So it seems there are some race issues with multiple server instances running in the tests.

I need to find a clean way to handle this in the code (I used var globalServer *http.Server for easy debugging) and will let you know once I updated the tests.

[mga-chka]

Thanks for the work.

The logic looks good (minus the few edge cases I spotted regarding RFC 7239).

You should add a brief summary of the feature in chproxy/docs/content/en/index.md so that anyone reading chproxy.org can quickly see that chproxy can run behind another proxy.
You should also add more information (like the description of your PR) in chproxy/docs/content/en/configuration/server.md

Regarding the code organization, I have some concerns about creating a new package (called middleware, which is a bit vague) and unsing the chain of responsability/middleware pattern.
Out of context I like this pattern and it makes sense in a proxy. But, inside the chproxy codebase, it feels weird because it was not used before despite the fact that many features could have been implemented using this middleware pattern (like authentication, user limits ...). Moreover, all the small features are currently stored in the main package, so why adding a new one.
IMHO, this PR makes sense is if we want to refactor the current code and use a chaine of responsability pattern everywhere we can.

Since the code organization part is a bit opinionated, I'll let @sigua-cs & @Garnek20 give their point of views.

[mga-chka]

IMHO, you should add the fact that the first ip the list will be chosen

[mga-chka]

it will not work for ipv6 since cf the RFC, ipv6 are quoted strings;
Note that as ":" and "[]" are not valid characters in "token", IPv6 addresses are written as "quoted-string".

[mga-chka]

you should make the comparison case insensitive because in the RFC 7239 the examples shows that it can be for or For:
Forwarded: For="[2001:db8:cafe::17]:4711" Forwarded: for=192.0.2.43, for=198.51.100.17

[mga-chka]

you should also split by ";" because cf RFC it's a valid separator and since your return forSplits[0][4:], you'll return more than just the ip:
The header field value can be defined in ABNF syntax as:
Forwarded = 1#forwarded-element

forwarded-element = [ forwarded-pair ] *( ";" [ forwarded-pair ] )
Examples:

   Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43`

[mga-chka]

👍 nice tests
it might be worth adding the edge cases I mentioned above

[gontarzpawel]

Looks good to me, just IP validation for me is missing

[gontarzpawel]

what if the err comes due to other reason ?

[gontarzpawel]

if we're changing that part let's be golang agnostic and therefore (new given it returns a pointer)

Suggested change

	func createServer(ln net.Listener, h http.Handler, cfg config.TimeoutCfg) *http.Server {
	func newServer(ln net.Listener, h http.Handler, cfg config.TimeoutCfg) *http.Server {

[gontarzpawel]

I think we should also validate input IP. Maybe with ip := net.ParseIP(h) ?

[mga-chka]

you should remove the mention of middleware

[mga-chka]

👍

[mga-chka]

you extract the remoteAddr but I don't see where you do the logic r.RemoteAddr = remoteAddr
I'm not an expert but I guess this logic is needed given the pb, cf a lib doing the same as what we do https://github.com/gorilla/handlers/blob/v1.5.1/proxy_headers.go#L43
I might have loose it because I'm sure this logic was in your code 7 days ago

[Blokje5]

See the code below, the extracted remoteAddr is passed to the ANs:

remoteAddr := proxyHandler.GetRemoteAddr(r)

var an *config.Networks
if r.TLS != nil {
	an = allowedNetworksHTTPS.Load().(*config.Networks)
	err = fmt.Errorf("https connections are not allowed from %s", remoteAddr)
} else {
	an = allowedNetworksHTTP.Load().(*config.Networks)
	err = fmt.Errorf("http connections are not allowed from %s", remoteAddr)
}

[mga-chka]

it's a bit picky but IMHO, instead of storing proxySettings, you could store a proxyHandler as an atomicValue. Indeed, conceptually, there is no reason to instantiate as new proxyHandler for every query. We only need to instantiate one every time the config change (which is what you're currently doing with config.Proxy who is only needed for the proxyHandler so not really needed in the end)

[Blokje5]

Actually that makes a lot of sense. I've updated the PR to load the proxyHandler.

[gontarzpawel]

Thanks @Blokje5 !