Add domain allowlist to block SSRF via first-party proxy redirects

.env.dev

@@ -8,3 +8,11 @@ TRUSTED_SERVER__SYNTHETIC__OPID_STORE=opid_store
 # [proxy]
 # Disable TLS certificate verification for local dev with self-signed certs
 # TRUSTED_SERVER__PROXY__CERTIFICATE_CHECK=false
+#
+# Restrict first-party proxy redirect targets to an allowlist (JSON array or indexed form).
+# Leave unset in local dev; configure in production to prevent SSRF via redirect chains
+# initiated by signed first-party proxy URLs.
+# TRUSTED_SERVER__PROXY__ALLOWED_DOMAINS='["*.doubleclick.net","*.googlesyndication.com"]'
+# Or using indexed form:
+# TRUSTED_SERVER__PROXY__ALLOWED_DOMAINS__0='*.doubleclick.net'
+# TRUSTED_SERVER__PROXY__ALLOWED_DOMAINS__1='*.googlesyndication.com'

crates/common/src/proxy.rs

@@ -460,6 +460,27 @@ fn append_synthetic_id(req: &Request, target_url_parsed: &mut url::Url) {
     }
 }
 
+/// Returns `true` if `host` is permitted by `pattern`.
+///
+/// - `"example.com"` matches exactly `example.com`.
+/// - `"*.example.com"` matches `example.com` and any subdomain at any depth.
+///
+/// Comparison is case-insensitive. The wildcard check requires a dot boundary,
+/// so `"*.example.com"` does **not** match `"evil-example.com"`.
+fn is_host_allowed(host: &str, pattern: &str) -> bool {
+    let host = host.to_ascii_lowercase();
+    let pattern = pattern.to_ascii_lowercase();
+
+    if let Some(suffix) = pattern.strip_prefix("*.") {
+        host == suffix
+            || host
+                .strip_suffix(suffix)
+                .is_some_and(|rest| rest.ends_with('.'))
+    } else {
+        host == pattern
+    }
+}
+
 async fn proxy_with_redirects(
     settings: &Settings,
     req: &Request,
@@ -563,6 +584,25 @@ async fn proxy_with_redirects(
             return finalize_response(settings, req, &current_url, beresp, stream_passthrough);
         }
 
+        if !settings.proxy.allowed_domains.is_empty() {
+            let next_host = next_url.host_str().unwrap_or("");
+            let allowed = settings
+                .proxy
+                .allowed_domains
+                .iter()
+                .any(|p| is_host_allowed(next_host, p));
+
+            if !allowed {
+                log::warn!(
+                    "redirect to `{}` blocked: host not in proxy allowed_domains",
+                    next_host
+                );
+                return Err(Report::new(TrustedServerError::Proxy {
+                    message: format!("redirect to `{next_host}` is not permitted"),
+                }));
+            }
+        }
+
         log::info!(
             "following redirect {} => {} (status {})",
             current_url,
@@ -1086,7 +1126,7 @@ fn reconstruct_and_validate_signed_target(
 mod tests {
     use super::{
         copy_proxy_forward_headers, handle_first_party_click, handle_first_party_proxy,
-        handle_first_party_proxy_rebuild, handle_first_party_proxy_sign,
+        handle_first_party_proxy_rebuild, handle_first_party_proxy_sign, is_host_allowed,
         reconstruct_and_validate_signed_target, ProxyRequestConfig, SUPPORTED_ENCODINGS,
     };
     use crate::error::{IntoHttpResponse, TrustedServerError};
@@ -1797,4 +1837,126 @@ mod tests {
             body
         );
     }
+
+    // --- is_host_allowed ---
+
+    #[test]
+    fn exact_match() {
+        assert!(
+            is_host_allowed("example.com", "example.com"),
+            "should match exact domain"
+        );
+    }
+
+    #[test]
+    fn exact_no_match() {
+        assert!(
+            !is_host_allowed("other.com", "example.com"),
+            "should not match different domain"
+        );
+    }
+
+    #[test]
+    fn wildcard_subdomain() {
+        assert!(
+            is_host_allowed("ad.example.com", "*.example.com"),
+            "should match direct subdomain"
+        );
+    }
+
+    #[test]
+    fn wildcard_deep_subdomain() {
+        assert!(
+            is_host_allowed("a.b.example.com", "*.example.com"),
+            "should match deep subdomain"
+        );
+    }
+
+    #[test]
+    fn wildcard_apex_match() {
+        assert!(
+            is_host_allowed("example.com", "*.example.com"),
+            "wildcard should also match apex domain"
+        );
+    }
+
+    #[test]
+    fn wildcard_no_boundary_bypass() {
+        assert!(
+            !is_host_allowed("evil-example.com", "*.example.com"),
+            "should not match host that lacks dot boundary"
+        );
+    }
+
+    #[test]
+    fn case_insensitive_host() {
+        assert!(
+            is_host_allowed("AD.EXAMPLE.COM", "*.example.com"),
+            "should match uppercase host"
+        );
+    }
+
+    #[test]
+    fn case_insensitive_pattern() {
+        assert!(
+            is_host_allowed("ad.example.com", "*.EXAMPLE.COM"),
+            "should match uppercase pattern"
+        );
+    }
+
+    // --- redirect allowlist enforcement (logic tests via is_host_allowed) ---
+
+    #[test]
+    fn redirect_allowed_exact() {
+        let allowed = ["ad.example.com".to_string()];
+        assert!(
+            allowed.iter().any(|p| is_host_allowed("ad.example.com", p)),
+            "should permit exact-match host"
+        );
+    }
+
+    #[test]
+    fn redirect_allowed_wildcard() {
+        let allowed = ["*.example.com".to_string()];
+        assert!(
+            allowed
+                .iter()
+                .any(|p| is_host_allowed("sub.example.com", p)),
+            "should permit wildcard-matched host"
+        );
+    }
+
+    #[test]
+    fn redirect_blocked() {
+        let allowed = ["*.example.com".to_string()];
+        assert!(
+            !allowed.iter().any(|p| is_host_allowed("evil.com", p)),
+            "should block host not in allowlist"
+        );
+    }
+
+    #[test]
+    fn redirect_empty_allowlist_permits_any() {
+        // The guard at proxy_with_redirects checks `!allowed_domains.is_empty()`
+        // before calling is_host_allowed, so no host is ever blocked when the
+        // list is empty. Verify the combined condition is false for any host.
+        let allowed: [String; 0] = [];
+        let would_block =
+            !allowed.is_empty() && !allowed.iter().any(|p| is_host_allowed("evil.com", p));
+        assert!(
+            !would_block,
+            "empty allowlist should not block any redirect host"
+        );
+    }
+
+    #[test]
+    fn redirect_bypass_attempt() {
+        let allowed = ["*.example.com".to_string()];
+        assert!(
+            !allowed
+                .iter()
+                .any(|p| is_host_allowed("evil-example.com", p)),
+            "should block dot-boundary bypass attempt"
+        );
+    }
 }

crates/common/src/settings.rs

@@ -280,6 +280,17 @@ pub struct Proxy {
     /// Set to false for local development with self-signed certificates.
     #[serde(default = "default_certificate_check")]
     pub certificate_check: bool,
+    /// Permitted redirect target domains for the first-party proxy.
+    ///
+    /// Supports exact hostname match (`"example.com"`) and subdomain wildcard
+    /// prefix (`"*.example.com"`, which also matches the apex `example.com`).
+    /// Matching is case-insensitive.
+    ///
+    /// When empty (the default), redirect destinations are not restricted.
+    /// Configure this in production to prevent SSRF via redirect chains
+    /// initiated by signed first-party proxy URLs.
+    #[serde(default, deserialize_with = "vec_from_seq_or_map")]
+    pub allowed_domains: Vec<String>,
 }
 
 fn default_certificate_check() -> bool {
@@ -290,6 +301,7 @@ impl Default for Proxy {
     fn default() -> Self {
         Self {
             certificate_check: default_certificate_check(),
+            allowed_domains: Vec::new(),
         }
     }
 }

trusted-server.toml

@@ -112,11 +112,26 @@ rewrite_script = true
 
 
 # Proxy configuration
-# [proxy]
+[proxy]
 # Enable TLS certificate verification when proxying to HTTPS origins.
 # Defaults to true. Set to false only for local development with self-signed certificates.
 # certificate_check = true
 
+# Restrict redirect destinations for the first-party proxy to an explicit domain allowlist.
+# Supports exact match ("example.com") and subdomain wildcard prefix ("*.example.com").
+# Wildcard prefix also matches the apex domain ("*.example.com" matches "example.com").
+# Matching is case-insensitive. A dot-boundary check prevents "*.example.com" from
+# matching "evil-example.com".
+# When omitted or empty, redirect destinations are unrestricted — configure this in
+# production to prevent SSRF via signed URLs that redirect to internal services.
+# Note: this list governs only the first-party proxy redirect chain, not integration
+# endpoints defined under [integrations.*].
+# allowed_domains = [
+    # "ad.example.com",
+    # "*.doubleclick.net",
+    # "*.googlesyndication.com",
+# ]
+
 [auction]
 enabled = true
 providers = ["prebid"]