feat: support CIDR notation for ForwardProxies in configuration (#85)

WybrenKoelmans · web-flow · commit 199e4935a200 · 2026-01-21T20:31:57.000+01:00
diff --git a/README.md b/README.md
@@ -42,6 +42,7 @@ WebRootPath: "/opt/ss14_admin/bin/wwwroot"
 
 ForwardProxies:
     - 127.0.0.1
+    - 172.16.0.0/12  # Supports CIDR notation for subnets  (Docker)
 
 Auth:
     Authority: "https://central.spacestation14.io/web/"
diff --git a/SS14.Admin/Startup.cs b/SS14.Admin/Startup.cs
@@ -99,9 +99,28 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
                 ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto,
             };
 
-            foreach (var ip in Configuration.GetSection("ForwardProxies").Get<string[]>() ?? Array.Empty<string>())
+            foreach (var entry in Configuration.GetSection("ForwardProxies").Get<string[]>() ?? Array.Empty<string>())
             {
-                forwardedHeadersOptions.KnownProxies.Add(IPAddress.Parse(ip));
+                // Try to parse as CIDR notation first (e.g., 192.168.1.0/24)
+                if (IPHelper.TryParseIpOrCidr(entry, out var parsed))
+                {
+                    var (ipAddress, prefixLength) = parsed;
+                    if (prefixLength.HasValue)
+                    {
+                        // It's a CIDR subnet, add to KnownNetworks
+                        var network = new Microsoft.AspNetCore.HttpOverrides.IPNetwork(ipAddress, prefixLength.Value);
+                        forwardedHeadersOptions.KnownNetworks.Add(network);
+                    }
+                    else
+                    {
+                        // It's a single IP address, add to KnownProxies
+                        forwardedHeadersOptions.KnownProxies.Add(ipAddress);
+                    }
+                }
+                else
+                {
+                    throw new InvalidOperationException($"Invalid IP address or CIDR notation in ForwardProxies: {entry}");
+                }
             }
 
             app.UseForwardedHeaders(forwardedHeadersOptions);
diff --git a/SS14.Admin/appsettings.yml b/SS14.Admin/appsettings.yml
@@ -18,6 +18,7 @@ Serilog:
 
 ForwardProxies:
   - 127.0.0.1
+  # - 172.16.0.0/12  # Supports CIDR notation for subnets (Docker)
 
 AuthServer: "https://central.spacestation14.io/auth"
 AllowedHosts: "*"
