Allow trusted proxies to be provided via TRUSTED_PROXIES env var

2026-02-28 04:03:12 +08:00 · 2025-07-17 09:57:34 +02:00
parent 650fafb7c4
commit 1f825797f6
3 changed files with 44 additions and 36 deletions
--- a/config/autoload/ip-address.global.php
+++ b/config/autoload/ip-address.global.php
@@ -2,51 +2,56 @@

 declare(strict_types=1);

-use Psr\Container\ContainerInterface;
 use RKA\Middleware\IpAddress;
 use RKA\Middleware\Mezzio\IpAddressFactory;
+use Shlinkio\Shlink\Core\Config\EnvVars;
 use Shlinkio\Shlink\Core\Middleware\ReverseForwardedAddressesMiddlewareDecorator;

+use function Shlinkio\Shlink\Core\splitByComma;
+
 use const Shlinkio\Shlink\IP_ADDRESS_REQUEST_ATTRIBUTE;

-return [
+return (static function (): array {
+    $trustedProxies = EnvVars::TRUSTED_PROXIES->loadFromEnv();

-    // Configuration for RKA\Middleware\IpAddress
-    'rka' => [
-        'ip_address' => [
-            'attribute_name' => IP_ADDRESS_REQUEST_ATTRIBUTE,
-            'check_proxy_headers' => true,
-            'trusted_proxies' => [],
-            'headers_to_inspect' => [
-                'CF-Connecting-IP',
-                'X-Forwarded-For',
-                'X-Forwarded',
-                'Forwarded',
-                'True-Client-IP',
-                'X-Real-IP',
-                'X-Cluster-Client-Ip',
-                'Client-Ip',
-            ],
-        ],
-    ],
+    return [

-    'dependencies' => [
-        'factories' => [
-            IpAddress::class => IpAddressFactory::class,
-        ],
-        'delegators' => [
-            // Make middleware decoration transparent to other parts of the code
-            IpAddress::class => [
-                function (
-                    ContainerInterface $container,
-                    string $name,
-                    callable $callback
-                ): ReverseForwardedAddressesMiddlewareDecorator {
-                    return new ReverseForwardedAddressesMiddlewareDecorator($callback());
-                },
+        // Configuration for RKA\Middleware\IpAddress
+        'rka' => [
+            'ip_address' => [
+                'attribute_name' => IP_ADDRESS_REQUEST_ATTRIBUTE,
+                'check_proxy_headers' => true,
+                'trusted_proxies' => splitByComma($trustedProxies),
+                'headers_to_inspect' => [
+                    'CF-Connecting-IP',
+                    'X-Forwarded-For',
+                    'X-Forwarded',
+                    'Forwarded',
+                    'True-Client-IP',
+                    'X-Real-IP',
+                    'X-Cluster-Client-Ip',
+                    'Client-Ip',
+                ],
            ],
        ],

-    ],
+        'dependencies' => [
+            'factories' => [
+                IpAddress::class => IpAddressFactory::class,
+            ],
+            'delegators' => [
+                // Make middleware decoration transparent to other parts of the code
+                IpAddress::class => [
+                    fn ($c, $n, callable $callback) =>
+                        // If trusted proxies have been provided, use original middleware verbatim, otherwise decorate
+                        // with workaround
+                        $trustedProxies !== null
+                            ? $callback()
+                            : new ReverseForwardedAddressesMiddlewareDecorator($callback()),
+                ],
+            ],

-];
+        ],
+
+    ];
+})();