Subnet mask support for spx.http_trusted_proxies

[paukert]

Hello,

I was wondering if it would be possible to add subnet mask support for spx.http_trusted_proxies or if it would be possible to allow * as a value for this configuration.

The value of $_SERVER['REMOTE_ADDR'] is quite dynamic in our use case (it is assigned from pool of IP addresses e.g. 10.10.10.0/24). We are also sure that the value of $_SERVER['<spx.http_ip_var>'] could not be forged so even * should be safe as far as I am concerned.

[NoiseByNorthwest]

We are also sure that the value of $_SERVER['<spx.http_ip_var>'] could not be forged so even * should be safe as far as I am concerned.

Yes but It could the day your app is not behind a RP anymore.

Anyway '*' is already supported for spx.http_ip_whitelist and was preferred over IP masks as it is far simpler to implement. We could do the same for spx.http_trusted_proxies.

I'll however try to see if implementing masks is costly as it looks.

[paukert]

Yes but It could the day your app is not behind a RP anymore.

Yes, that is true, but at least in our use case this should not happen out of nowhere and there is also the second layer of protection (spx.http_key).

Implementing IP mask support would be of course more secure way but allowing * is good enough for our use case (at least for now).

[NoiseByNorthwest]

@paukert could you please test with this branch https://github.com/NoiseByNorthwest/php-spx/tree/fix_259 ?

[paukert]

I will test it during next week, thanks for the implementation.

[NoiseByNorthwest]

@paukert I've just merged the patch since it is covered by tests and it may conflicts with #263

Feel free to reopen this issue if the patch appears to not work as expected.

[paukert]

@NoiseByNorthwest tested basic usage and few edge cases and it works like a charm, thanks again and sorry for the delay