mirror of
https://github.com/timothymiller/cloudflare-ddns.git
synced 2026-03-21 22:48:57 -03:00
Use Cloudflare trace by default and validate IPs
Default IPv4 provider is now CloudflareTrace. Primary uses api.cloudflare.com; fallbacks are literal IPs. Build per-family HTTP clients by binding to 0.0.0.0/[::] so the trace endpoint observes the requested address family. Add validate_detected_ip to reject wrong-family or non-global addresses (loopback, link-local, private, documentation ranges, etc). Update tests and legacy updater URLs. Default to Cloudflare trace and validate IPs Use api.cloudflare.com as the primary trace endpoint (fallbacks remain literal IPs) to avoid WARP/Zero Trust interception. Build IP-family-specific HTTP clients by binding to the unspecified address so the trace endpoint sees the correct family. Add validate_detected_ip to reject non-global or wrong-family addresses and expand tests. Bump crate version and tempfile dev-dependency.
This commit is contained in:
Timothy Miller
@@ -243,7 +243,7 @@ fn read_providers_from_env(ppfmt: &PP) -> Result<HashMap<IpType, ProviderType>,
|
||||
let ip4_provider = match ip4_str {
|
||||
Some(s) => ProviderType::parse(&s)
|
||||
.map_err(|e| format!("Invalid IP4_PROVIDER: {e}"))?,
|
||||
None => ProviderType::Ipify,
|
||||
None => ProviderType::CloudflareTrace { url: None },
|
||||
};
|
||||
|
||||
let ip6_provider = match ip6_str {
|
||||
@@ -1429,12 +1429,12 @@ mod tests {
|
||||
let pp = PP::new(false, true);
|
||||
let providers = read_providers_from_env(&pp).unwrap();
|
||||
drop(g);
|
||||
// V4 defaults to Ipify, V6 defaults to CloudflareTrace.
|
||||
// Both V4 and V6 default to CloudflareTrace.
|
||||
assert!(providers.contains_key(&IpType::V4));
|
||||
assert!(providers.contains_key(&IpType::V6));
|
||||
assert!(matches!(
|
||||
providers[&IpType::V4],
|
||||
ProviderType::Ipify
|
||||
ProviderType::CloudflareTrace { url: None }
|
||||
));
|
||||
assert!(matches!(
|
||||
providers[&IpType::V6],
|
||||
|
||||
Reference in New Issue
Block a user