Use built in trusted proxy functionality (#13318)

* Use built in trusted proxy functionality
instead of fideloper/proxy

* my favorite style rule...

* hello braindead ide

* restore space

app/Http/Middleware/TrustProxies.php

@@ -3,26 +3,25 @@
 namespace App\Http\Middleware;
 
 use Illuminate\Http\Middleware\TrustProxies as Middleware;
-use Illuminate\Http\Request;
 
 class TrustProxies extends Middleware
 {
-    /**
+    protected function getTrustedHeaderNames()
-     * The trusted proxies for this application.
+    {
-     *
+        $this->headers = config('trustedproxy.headers');
-     * @var array|string|null
+
-     */
+        return parent::getTrustedHeaderNames();
-    protected $proxies;
+    }
 
     /**
-     * The headers that should be used to detect proxies.
+     * Get the trusted proxies.
      *
-     * @var int
+     * @return array|string|null
      */
-    protected $headers =
+    protected function proxies()
-        Request::HEADER_X_FORWARDED_FOR |
+    {
-        Request::HEADER_X_FORWARDED_HOST |
+        $this->proxies = config('trustedproxy.proxies');
-        Request::HEADER_X_FORWARDED_PORT |
+
-        Request::HEADER_X_FORWARDED_PROTO |
+        return parent::proxies();
-        Request::HEADER_X_FORWARDED_AWS_ELB;
+    }
 }

composer.json

@@ -30,7 +30,6 @@
         "easybook/geshi": "^1.0.8",
         "ezyang/htmlpurifier": "^4.8",
         "fico7489/laravel-pivot": "^3.0",
-        "fideloper/proxy": "^4.4",
         "fruitcake/laravel-cors": "^2.0",
         "genealabs/laravel-caffeine": "^8.0",
         "guzzlehttp/guzzle": "^7.0.1",

composer.lock

@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "9ab00e7f7d4af766342b38b9019f7fe7",
+    "content-hash": "4756600b7d329eed706b8a224e47fb4a",
     "packages": [
         {
             "name": "amenadiel/jpgraph",
@@ -1115,64 +1115,6 @@
             },
             "time": "2020-10-05T06:12:29+00:00"
         },
-        {
-            "name": "fideloper/proxy",
-            "version": "4.4.1",
-            "source": {
-                "type": "git",
-                "url": "https://github.com/fideloper/TrustedProxy.git",
-                "reference": "c073b2bd04d1c90e04dc1b787662b558dd65ade0"
-            },
-            "dist": {
-                "type": "zip",
-                "url": "https://api.github.com/repos/fideloper/TrustedProxy/zipball/c073b2bd04d1c90e04dc1b787662b558dd65ade0",
-                "reference": "c073b2bd04d1c90e04dc1b787662b558dd65ade0",
-                "shasum": ""
-            },
-            "require": {
-                "illuminate/contracts": "^5.0|^6.0|^7.0|^8.0|^9.0",
-                "php": ">=5.4.0"
-            },
-            "require-dev": {
-                "illuminate/http": "^5.0|^6.0|^7.0|^8.0|^9.0",
-                "mockery/mockery": "^1.0",
-                "phpunit/phpunit": "^6.0"
-            },
-            "type": "library",
-            "extra": {
-                "laravel": {
-                    "providers": [
-                        "Fideloper\\Proxy\\TrustedProxyServiceProvider"
-                    ]
-                }
-            },
-            "autoload": {
-                "psr-4": {
-                    "Fideloper\\Proxy\\": "src/"
-                }
-            },
-            "notification-url": "https://packagist.org/downloads/",
-            "license": [
-                "MIT"
-            ],
-            "authors": [
-                {
-                    "name": "Chris Fidao",
-                    "email": "fideloper@gmail.com"
-                }
-            ],
-            "description": "Set trusted proxies for Laravel",
-            "keywords": [
-                "load balancing",
-                "proxy",
-                "trusted proxy"
-            ],
-            "support": {
-                "issues": "https://github.com/fideloper/TrustedProxy/issues",
-                "source": "https://github.com/fideloper/TrustedProxy/tree/4.4.1"
-            },
-            "time": "2020-10-22T13:48:01+00:00"
-        },
         {
             "name": "fruitcake/laravel-cors",
             "version": "v2.0.4",

config/trustedproxy.php

@@ -1,12 +1,14 @@
 <?php
 
- /*
+/*
- | !!!! DO NOT EDIT THIS FILE !!!!
+| !!!! DO NOT EDIT THIS FILE !!!!
- |
+|
- | You can change settings by setting them in the environment or .env
+| You can change settings by setting them in the environment or .env
- | If there is something you need to change, but is not available as an environment setting,
+| If there is something you need to change, but is not available as an environment setting,
- | request an environment variable to be created upstream or send a pull request.
+| request an environment variable to be created upstream or send a pull request.
- */
+*/
+
+use Illuminate\Http\Request;
 
 return [
 
@@ -53,6 +55,10 @@ return [
      *
      * @link https://symfony.com/doc/current/deployment/proxies.html
      */
-    'headers' => Illuminate\Http\Request::HEADER_X_FORWARDED_ALL,
+    'headers' => Request::HEADER_X_FORWARDED_FOR |
+        Request::HEADER_X_FORWARDED_HOST |
+        Request::HEADER_X_FORWARDED_PORT |
+        Request::HEADER_X_FORWARDED_PROTO |
+        Request::HEADER_X_FORWARDED_AWS_ELB,
 
 ];

doc/General/Security.md

@@ -18,6 +18,14 @@ an SSL certificate such as ones provided by [LetsEncrypt](http://www.letsencrypt
 
 Please ensure you keep your install [up to date](Updating.md).
 
+## Trusted Proxies
+
+When using a reverse proxy, you may restrict the hosts allowed to forward
+headers to LibreNMS. By default this allows all proxies, due to legacy reasons.
+
+Set APP_TRUSTED_PROXIES in your .env to an empty string or the urls to
+the proxies allowed to forward.
+
 # Reporting vulnerabilities
 
 Like anyone, we appreciate the work people put in to find flaws in