support cidr notation for --xff-src, --ipa, --*-ipa

the old `10.88.` syntax is still supported, translating to `10.88.0.0/16` also fix `--tftp-ipa` when optimizations are enabled
2025-10-03 09:49:29 +02:00 · 2024-03-14 19:07:35 +01:00 · 2024-03-14 19:07:35 +01:00 · b377791be7
commit b377791be7
parent 78919e65d6
13 changed files with 103 additions and 44 deletions
--- a/docs/examples/docker/idp-authelia-traefik/cpp/copyparty.conf
+++ b/docs/examples/docker/idp-authelia-traefik/cpp/copyparty.conf
@ -24,8 +24,8 @@
  # if we are confident that we got the docker-network config correct
  # (meaning copyparty is only accessible through traefik, and
  #  traefik makes sure that all requests go through authelia),
-  # then disable the reverse-proxy source-ip safety check like this:
-  xff-src: any
+  # then accept X-Forwarded-For and IdP headers from any private IP:
+  xff-src: lan

  # enable IdP support by expecting username/groupname in
  # http-headers provided by the reverse-proxy; header "X-IdP-User"
--- a/docs/examples/docker/idp/copyparty.conf
+++ b/docs/examples/docker/idp/copyparty.conf
@ -31,7 +31,10 @@
  # preventing malicious users from pretending to be the proxy;
  # pay attention to the warning message in the logs and then
  # adjust the following config option accordingly:
-  xff-src: 192.168.
+  xff-src: 192.168.0.0/16
+
+  # or just allow all LAN / private IPs (probably good enough):
+  xff-src: lan

  # an additional, optional security measure is to expect a
  # secret header name from the reverse-proxy; you can enable