add sasl-only config option

irc/accounts.go

 }
 
 func (am *AccountManager) dispatchCallback(client *Client, casefoldedAccount string, callbackNamespace string, callbackValue string) (string, error) {
-	if callbackNamespace == "*" || callbackNamespace == "none" {
+	if callbackNamespace == "*" || callbackNamespace == "none" || callbackNamespace == "admin" {
 		return "", nil
 	} else if callbackNamespace == "mailto" {
 		return am.dispatchMailtoCallback(client, casefoldedAccount, callbackValue)
 	if err != nil {
 		return err
 	}
-	am.Login(client, clientAccount)
+	if client != nil {
+		am.Login(client, clientAccount)
+	}
 	return nil
 }
 

irc/client.go

 	IRCv3TimestampFormat = "2006-01-02T15:04:05.000Z"
 )
 
-var (
-	LoopbackIP = net.ParseIP("127.0.0.1")
-)
-
 // ResumeDetails is a place to stash data at various stages of
 // the resume process: when handling the RESUME command itself,
 // when completing the registration, and when rejoining channels.
 	account            string
 	accountName        string // display name of the account: uncasefolded, '*' if not logged in
 	atime              time.Time
-	authorized         bool
 	awayMessage        string
 	capabilities       *caps.Set
 	capState           caps.State
 	quitMessage        string
 	rawHostname        string
 	realname           string
+	realIP             net.IP
 	registered         bool
 	resumeDetails      *ResumeDetails
 	resumeToken        string
 	saslInProgress     bool
 	saslMechanism      string
 	saslValue          string
+	sentPassCommand    bool
 	server             *Server
 	skeleton           string
 	socket             *Socket
 	socket := NewSocket(conn, fullLineLenLimit*2, config.Server.MaxSendQBytes)
 	client := &Client{
 		atime:        now,
-		authorized:   server.Password() == nil,
 		capabilities: caps.NewSet(),
 		capState:     caps.NoneState,
 		capVersion:   caps.Cap301,
 	}
 	client.languages = server.languages.Default()
 
+	remoteAddr := conn.RemoteAddr()
+	client.realIP = utils.AddrToIP(remoteAddr)
+	if client.realIP == nil {
+		server.logger.Error("internal", "bad remote address", remoteAddr.String())
+		return
+	}
 	client.recomputeMaxlens()
 	if isTLS {
 		client.SetMode(modes.TLS, true)
 		// error is not useful to us here anyways so we can ignore it
 		client.certfp, _ = client.socket.CertFP()
 	}
-	if config.Server.CheckIdent && !utils.AddrIsUnix(conn.RemoteAddr()) {
+	if config.Server.CheckIdent && !utils.AddrIsUnix(remoteAddr) {
 		_, serverPortString, err := net.SplitHostPort(conn.LocalAddr().String())
 		if err != nil {
 			server.logger.Error("internal", "bad server address", err.Error())
 	go client.run()
 }
 
+func (client *Client) isAuthorized(config *Config) bool {
+	saslSent := client.account != ""
+	passRequirementMet := (config.Server.passwordBytes == nil) || client.sentPassCommand || (config.Accounts.SkipServerPassword && saslSent)
+	if !passRequirementMet {
+		return false
+	}
+	saslRequirementMet := !config.Accounts.RequireSasl.Enabled || saslSent || utils.IPInNets(client.IP(), config.Accounts.RequireSasl.exemptedNets)
+	return saslRequirementMet
+}
+
 func (client *Client) resetFakelag() {
 	fakelag := func() *Fakelag {
 		if client.HasRoleCapabs("nofakelag") {
 
 // IP returns the IP address of this client.
 func (client *Client) IP() net.IP {
+	client.stateMutex.RLock()
+	defer client.stateMutex.RUnlock()
+
 	if client.proxiedIP != nil {
 		return client.proxiedIP
 	}
-	if ip := utils.AddrToIP(client.socket.conn.RemoteAddr()); ip != nil {
-		return ip
-	}
-	// unix domain socket that hasn't issued PROXY/WEBIRC yet. YOLO
-	return LoopbackIP
+	return client.realIP
 }
 
 // IPString returns the IP address of this client as a string.
 
 	// Set the hostname for this client
 	// (may be overridden by a later PROXY command from stunnel)
-	client.rawHostname = utils.AddrLookupHostname(client.socket.conn.RemoteAddr())
+	client.rawHostname = utils.LookupHostname(client.realIP.String())
 
 	firstLine := true
 

irc/commands.go

 	}
 
 	// most servers do this only for PING/PONG, but we'll do it for any command:
-	client.idletimer.Touch()
+	if client.registered {
+		client.idletimer.Touch()
+	}
 
 	if !cmd.leaveClientIdle {
 		client.Active()

irc/config.go

 	"fmt"
 	"io/ioutil"
 	"log"
+	"net"
 	"os"
 	"path/filepath"
 	"regexp"
 type AccountConfig struct {
 	Registration          AccountRegistrationConfig
 	AuthenticationEnabled bool `yaml:"authentication-enabled"`
-	LoginThrottling       struct {
+	RequireSasl           struct {
+		Enabled      bool
+		Exempted     []string
+		exemptedNets []net.IPNet
+	} `yaml:"require-sasl"`
+	LoginThrottling struct {
 		Enabled     bool
 		Duration    time.Duration
 		MaxAttempts int `yaml:"max-attempts"`
 		STS                  STSConfig
 		CheckIdent           bool `yaml:"check-ident"`
 		MOTD                 string
-		MOTDFormatting       bool           `yaml:"motd-formatting"`
-		ProxyAllowedFrom     []string       `yaml:"proxy-allowed-from"`
+		MOTDFormatting       bool     `yaml:"motd-formatting"`
+		ProxyAllowedFrom     []string `yaml:"proxy-allowed-from"`
+		proxyAllowedFromNets []net.IPNet
 		WebIRC               []webircConfig `yaml:"webirc"`
 		MaxSendQString       string         `yaml:"max-sendq"`
 		MaxSendQBytes        int
 		}
 	}
 
+	config.Accounts.RequireSasl.exemptedNets, err = utils.ParseNetList(config.Accounts.RequireSasl.Exempted)
+	if err != nil {
+		return nil, fmt.Errorf("Could not parse require-sasl exempted nets: %v", err.Error())
+	}
+
+	config.Server.proxyAllowedFromNets, err = utils.ParseNetList(config.Server.ProxyAllowedFrom)
+	if err != nil {
+		return nil, fmt.Errorf("Could not parse proxy-allowed-from nets: %v", err.Error())
+	}
+
 	rawRegexp := config.Accounts.VHosts.ValidRegexpRaw
 	if rawRegexp != "" {
 		regexp, err := regexp.Compile(rawRegexp)

irc/connection_limits/limiter.go

 	"fmt"
 	"net"
 	"sync"
+
+	"github.com/oragono/oragono/irc/utils"
 )
 
 // LimiterConfig controls the automated connection limits.
 	// population holds IP -> count of clients connected from there
 	population map[string]int
 
-	// exemptedIPs holds IPs that are exempt from limits
-	exemptedIPs map[string]bool
 	// exemptedNets holds networks that are exempt from limits
 	exemptedNets []net.IPNet
 }
 
 	// check exempted lists
 	// we don't track populations for exempted addresses or nets - this is by design
-	if cl.exemptedIPs[addr.String()] {
+	if utils.IPInNets(addr, cl.exemptedNets) {
 		return nil
 	}
-	for _, ex := range cl.exemptedNets {
-		if ex.Contains(addr) {
-			return nil
-		}
-	}
 
 	// check population
 	cl.maskAddr(addr)
 // ApplyConfig atomically applies a config update to a connection limit handler
 func (cl *Limiter) ApplyConfig(config LimiterConfig) error {
 	// assemble exempted nets
-	exemptedIPs := make(map[string]bool)
-	var exemptedNets []net.IPNet
-	for _, cidr := range config.Exempted {
-		ipaddr := net.ParseIP(cidr)
-		_, netaddr, err := net.ParseCIDR(cidr)
-
-		if ipaddr == nil && err != nil {
-			return fmt.Errorf("Could not parse exempted IP/network [%s]", cidr)
-		}
-
-		if ipaddr != nil {
-			exemptedIPs[ipaddr.String()] = true
-		} else {
-			exemptedNets = append(exemptedNets, *netaddr)
-		}
+	exemptedNets, err := utils.ParseNetList(config.Exempted)
+	if err != nil {
+		return fmt.Errorf("Could not parse limiter exemption list: %v", err.Error())
 	}
 
 	cl.Lock()
 	if cl.subnetLimit == 0 && config.IPsPerSubnet != 0 {
 		cl.subnetLimit = config.IPsPerSubnet
 	}
-	cl.exemptedIPs = exemptedIPs
 	cl.exemptedNets = exemptedNets
 
 	return nil

irc/connection_limits/throttler.go

 	"net"
 	"sync"
 	"time"
+
+	"github.com/oragono/oragono/irc/utils"
 )
 
 // ThrottlerConfig controls the automated connection throttling.
 	banDuration time.Duration
 	banMessage  string
 
-	// exemptedIPs holds IPs that are exempt from limits
-	exemptedIPs map[string]bool
 	// exemptedNets holds networks that are exempt from limits
 	exemptedNets []net.IPNet
 }
 	}
 
 	// check exempted lists
-	if ct.exemptedIPs[addr.String()] {
+	if utils.IPInNets(addr, ct.exemptedNets) {
 		return nil
 	}
-	for _, ex := range ct.exemptedNets {
-		if ex.Contains(addr) {
-			return nil
-		}
-	}
 
 	// check throttle
 	ct.maskAddr(addr)
 // ApplyConfig atomically applies a config update to a throttler
 func (ct *Throttler) ApplyConfig(config ThrottlerConfig) error {
 	// assemble exempted nets
-	exemptedIPs := make(map[string]bool)
-	var exemptedNets []net.IPNet
-	for _, cidr := range config.Exempted {
-		ipaddr := net.ParseIP(cidr)
-		_, netaddr, err := net.ParseCIDR(cidr)
-
-		if ipaddr == nil && err != nil {
-			return fmt.Errorf("Could not parse exempted IP/network [%s]", cidr)
-		}
-
-		if ipaddr != nil {
-			exemptedIPs[ipaddr.String()] = true
-		} else {
-			exemptedNets = append(exemptedNets, *netaddr)
-		}
+	exemptedNets, err := utils.ParseNetList(config.Exempted)
+	if err != nil {
+		return fmt.Errorf("Could not parse throttle exemption list: %v", err.Error())
 	}
 
 	ct.Lock()
 	ct.duration = config.Duration
 	ct.banDuration = config.BanDuration
 	ct.banMessage = config.BanMessage
-	ct.exemptedIPs = exemptedIPs
 	ct.exemptedNets = exemptedNets
 
 	return nil

irc/gateways.go

 	Password       []byte `yaml:"password-bytes"`
 	Fingerprint    string
 	Hosts          []string
+	allowedNets    []net.IPNet
 }
 
 // Populate fills out our password or fingerprint.
 	if wc.PasswordString != "" {
 		wc.Password, err = decodeLegacyPasswordHash(wc.PasswordString)
 	}
-	return err
-}
-
-func isGatewayAllowed(addr net.Addr, gatewaySpec string) bool {
-	// "localhost" includes any loopback IP or unix domain socket
-	if gatewaySpec == "localhost" {
-		return utils.AddrIsLocal(addr)
-	}
-
-	ip := utils.AddrToIP(addr)
-	if ip == nil {
-		return false
-	}
 
-	// exact IP match
-	if ip.String() == gatewaySpec {
-		return true
+	if err == nil {
+		wc.allowedNets, err = utils.ParseNetList(wc.Hosts)
 	}
 
-	// CIDR match
-	_, gatewayNet, err := net.ParseCIDR(gatewaySpec)
-	if err != nil {
-		return false
-	}
-	return gatewayNet.Contains(ip)
+	return err
 }
 
 // ApplyProxiedIP applies the given IP to the client.
 func (client *Client) ApplyProxiedIP(proxiedIP string, tls bool) (success bool) {
 	// ensure IP is sane
-	parsedProxiedIP := net.ParseIP(proxiedIP)
+	parsedProxiedIP := net.ParseIP(proxiedIP).To16()
 	if parsedProxiedIP == nil {
 		client.Quit(fmt.Sprintf(client.t("Proxied IP address is not valid: [%s]"), proxiedIP))
 		return false
 	}
 
-	// undo any mapping of v4 addresses into the v6 space: https://stackoverflow.com/a/1618259
-	// this is how a typical stunnel4 deployment on Linux will handle dual-stack
-	unmappedIP := parsedProxiedIP.To4()
-	if unmappedIP != nil {
-		parsedProxiedIP = unmappedIP
-	}
-
 	isBanned, banMsg := client.server.checkBans(parsedProxiedIP)
 	if isBanned {
 		client.Quit(banMsg)
 		return errBadProxyLine
 	}
 
-	for _, gateway := range server.ProxyAllowedFrom() {
-		if isGatewayAllowed(client.socket.conn.RemoteAddr(), gateway) {
-			// assume PROXY connections are always secure
-			if client.ApplyProxiedIP(params[2], true) {
-				return nil
-			} else {
-				return errBadProxyLine
-			}
+	if utils.IPInNets(client.realIP, server.Config().Server.proxyAllowedFromNets) {
+		// assume PROXY connections are always secure
+		if client.ApplyProxiedIP(params[2], true) {
+			return nil
+		} else {
+			return errBadProxyLine
 		}
 	}
 

irc/getters.go

 	return *server.Config().Debug.RecoverFromErrors
 }
 
-func (server *Server) ProxyAllowedFrom() []string {
-	return server.Config().Server.ProxyAllowedFrom
-}
-
-func (server *Server) WebIRCConfig() []webircConfig {
-	return server.Config().Server.WebIRC
-}
-
 func (server *Server) DefaultChannelModes() modes.Modes {
 	return server.Config().Channels.defaultModes
 }
 	return
 }
 
-func (client *Client) Authorized() bool {
-	client.stateMutex.RLock()
-	defer client.stateMutex.RUnlock()
-	return client.authorized
-}
-
-func (client *Client) SetAuthorized(authorized bool) {
-	client.stateMutex.Lock()
-	defer client.stateMutex.Unlock()
-	client.authorized = authorized
-}
-
 func (client *Client) HasMode(mode modes.Mode) bool {
 	// client.flags has its own synch
 	return client.flags.HasMode(mode)

irc/handlers.go

 	// let the SASL handler do its thing
 	exiting := handler(server, client, client.saslMechanism, data, rb)
 
-	if client.LoggedIntoAccount() && server.AccountConfig().SkipServerPassword {
-		client.SetAuthorized(true)
-	}
-
 	// wait 'til SASL is done before emptying the sasl vars
 	client.saslInProgress = false
 	client.saslMechanism = ""
 		}
 
 	case "END":
-		if !client.Registered() {
+		if !client.registered {
 			client.capState = caps.NegotiatedState
 		}
 
 
 // NICK <nickname>
 func nickHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *ResponseBuffer) bool {
-	if client.Registered() {
+	if client.registered {
 		performNickChange(server, client, client, msg.Params[0], rb)
 	} else {
 		client.preregNick = msg.Params[0]
 
 // PASS <password>
 func passHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *ResponseBuffer) bool {
-	if client.Registered() {
+	if client.registered {
 		rb.Add(nil, server.name, ERR_ALREADYREGISTRED, client.nick, client.t("You may not reregister"))
 		return false
 	}
 	// if no password exists, skip checking
 	serverPassword := server.Password()
 	if serverPassword == nil {
-		client.SetAuthorized(true)
 		return false
 	}
 
 		return true
 	}
 
-	client.SetAuthorized(true)
+	client.sentPassCommand = true
 	return false
 }
 
 	oldnick := msg.Params[0]
 	token := msg.Params[1]
 
-	if client.Registered() {
+	if client.registered {
 		rb.Add(nil, server.name, ERR_CANNOT_RESUME, oldnick, client.t("Cannot resume connection, connection registration has already been completed"))
 		return false
 	}
 
 // USER <username> * 0 <realname>
 func userHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *ResponseBuffer) bool {
-	if client.Registered() {
+	if client.registered {
 		rb.Add(nil, server.name, ERR_ALREADYREGISTRED, client.nick, client.t("You may not reregister"))
 		return false
 	}
 // WEBIRC <password> <gateway> <hostname> <ip> [:flag1 flag2=x flag3]
 func webircHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *ResponseBuffer) bool {
 	// only allow unregistered clients to use this command
-	if client.Registered() || client.proxiedIP != nil {
+	if client.registered || client.proxiedIP != nil {
 		return false
 	}
 
 		}
 	}
 
-	for _, info := range server.WebIRCConfig() {
-		for _, gateway := range info.Hosts {
-			if isGatewayAllowed(client.socket.conn.RemoteAddr(), gateway) {
-				// confirm password and/or fingerprint
-				givenPassword := msg.Params[0]
-				if 0 < len(info.Password) && bcrypt.CompareHashAndPassword(info.Password, []byte(givenPassword)) != nil {
-					continue
-				}
-				if 0 < len(info.Fingerprint) && client.certfp != info.Fingerprint {
-					continue
-				}
+	givenPassword := []byte(msg.Params[0])
+	for _, info := range server.Config().Server.WebIRC {
+		if utils.IPInNets(client.realIP, info.allowedNets) {
+			// confirm password and/or fingerprint
+			if 0 < len(info.Password) && bcrypt.CompareHashAndPassword(info.Password, givenPassword) != nil {
+				continue
+			}
+			if 0 < len(info.Fingerprint) && client.certfp != info.Fingerprint {
+				continue
+			}
 
-				proxiedIP := msg.Params[3]
-				// see #211; websocket gateways will wrap ipv6 addresses in square brackets
-				// because IRC parameters can't start with :
-				if strings.HasPrefix(proxiedIP, "[") && strings.HasSuffix(proxiedIP, "]") {
-					proxiedIP = proxiedIP[1 : len(proxiedIP)-1]
-				}
-				return !client.ApplyProxiedIP(proxiedIP, secure)
+			proxiedIP := msg.Params[3]
+			// see #211; websocket gateways will wrap ipv6 addresses in square brackets
+			// because IRC parameters can't start with :
+			if strings.HasPrefix(proxiedIP, "[") && strings.HasSuffix(proxiedIP, "]") {
+				proxiedIP = proxiedIP[1 : len(proxiedIP)-1]
 			}
+			return !client.ApplyProxiedIP(proxiedIP, secure)
 		}
 	}
 

irc/idletimer.go

 }
 
 func (it *IdleTimer) Touch() {
-	// ignore touches from unregistered clients
-	if !it.client.Registered() {
-		return
-	}
-
 	it.updateIdleDuration()
 
 	it.Lock()

irc/nickserv.go

 
 import (
 	"fmt"
-	"strings"
 
 	"github.com/goshuirc/irc-go/ircfmt"
 )
 			enabled:   servCmdRequiresAccreg,
 			minParams: 1,
 		},
+		"saregister": {
+			handler: nsSaregisterHandler,
+			help: `Syntax: $bSAREGISTER <username> <password>$b
+
+SAREGISTER registers an account on someone else's behalf.
+This is for use in configurations that require SASL for all connections;
+an administrator can set use this command to set up user accounts.`,
+			helpShort: `$bSAREGISTER$b registers an account on someone else's behalf.`,
+			enabled:   servCmdRequiresAccreg,
+			capabs:    []string{"accreg"},
+			minParams: 2,
+		},
 		"unregister": {
 			handler: nsUnregisterHandler,
 			help: `Syntax: $bUNREGISTER <username> [code]$b
 
 func nsRegisterHandler(server *Server, client *Client, command string, params []string, rb *ResponseBuffer) {
 	// get params
-	username, email := params[0], params[1]
+	account, email := params[0], params[1]
 	var passphrase string
 	if len(params) > 2 {
 		passphrase = params[2]
 	}
 
-	if !server.AccountConfig().Registration.Enabled {
-		nsNotice(rb, client.t("Account registration has been disabled"))
-		return
-	}
-
-	if username == "" {
-		nsNotice(rb, client.t("No username supplied"))
-		return
-	}
-
 	certfp := client.certfp
 	if passphrase == "" && certfp == "" {
 		nsNotice(rb, client.t("You need to either supply a passphrase or be connected via TLS with a client cert"))
 		}
 	}
 
-	// get and sanitise account name
-	account := strings.TrimSpace(username)
-
 	err := server.accounts.Register(client, account, callbackNamespace, callbackValue, passphrase, client.certfp)
 	if err == nil {
 		if callbackNamespace == "*" {
 		errMsg := client.t("Could not register")
 		if err == errCertfpAlreadyExists {
 			errMsg = client.t("An account already exists for your certificate fingerprint")
-		} else if err == errAccountAlreadyRegistered {
+		} else if err == errAccountAlreadyRegistered || err == errAccountAlreadyVerified {
 			errMsg = client.t("Account already exists")
 		} else if err == errAccountBadPassphrase {
 			errMsg = client.t("Passphrase contains forbidden characters or is otherwise invalid")
 	}
 }
 
+func nsSaregisterHandler(server *Server, client *Client, command string, params []string, rb *ResponseBuffer) {
+	account, passphrase := params[0], params[1]
+	err := server.accounts.Register(nil, account, "admin", "", passphrase, "")
+	if err == nil {
+		err = server.accounts.Verify(nil, account, "")
+	}
+
+	if err != nil {
+		var errMsg string
+		if err == errAccountAlreadyRegistered || err == errAccountAlreadyVerified {
+			errMsg = client.t("Account already exists")
+		} else if err == errAccountBadPassphrase {
+			errMsg = client.t("Passphrase contains forbidden characters or is otherwise invalid")
+		} else {
+			server.logger.Error("services", "unknown error from saregister", err.Error())
+			errMsg = client.t("Could not register")
+		}
+		nsNotice(rb, errMsg)
+	} else {
+		nsNotice(rb, fmt.Sprintf(client.t("Successfully registered account %s"), account))
+	}
+}
+
 func nsUnregisterHandler(server *Server, client *Client, command string, params []string, rb *ResponseBuffer) {
 	username := params[0]
 	var verificationCode string

irc/server.go

 //
 
 func (server *Server) tryRegister(c *Client) {
-	if c.Registered() {
+	if c.registered {
 		return
 	}
 
 		return
 	}
 
-	// client MUST send PASS (or AUTHENTICATE, if skip-server-password is set)
+	// client MUST send PASS if necessary, or authenticate with SASL if necessary,
 	// before completing the other registration commands
-	if !c.Authorized() {
+	config := server.Config()
+	if !c.isAuthorized(config) {
 		c.Quit(c.t("Bad password"))
 		c.destroy(false)
 		return

irc/utils/net.go

 
 var (
 	// subnet mask for an ipv6 /128:
-	mask128 = net.CIDRMask(128, 128)
+	mask128             = net.CIDRMask(128, 128)
+	IPv4LoopbackAddress = net.ParseIP("127.0.0.1").To16()
 )
 
-// IPString returns a simple IP string from the given net.Addr.
-func IPString(addr net.Addr) string {
-	addrStr := addr.String()
-	ipaddr, _, err := net.SplitHostPort(addrStr)
-	//TODO(dan): Why is this needed, does this happen?
-	if err != nil {
-		return addrStr
-	}
-	return ipaddr
-}
-
-// AddrLookupHostname returns the hostname (if possible) or address for the given `net.Addr`.
-func AddrLookupHostname(addr net.Addr) string {
-	if AddrIsUnix(addr) {
-		return "localhost"
-	}
-	return LookupHostname(IPString(addr))
-}
-
 // AddrIsLocal returns whether the address is from a trusted local connection (loopback or unix).
 func AddrIsLocal(addr net.Addr) bool {
 	if tcpaddr, ok := addr.(*net.TCPAddr); ok {
 		return tcpaddr.IP.IsLoopback()
 	}
-	_, ok := addr.(*net.UnixAddr)
-	return ok
+	return AddrIsUnix(addr)
 }
 
-// AddrToIP returns the IP address for a net.Addr, or nil if it's a unix domain socket.
+// AddrToIP returns the IP address for a net.Addr; unix domain sockets are treated as IPv4 loopback
 func AddrToIP(addr net.Addr) net.IP {
 	if tcpaddr, ok := addr.(*net.TCPAddr); ok {
-		return tcpaddr.IP
+		return tcpaddr.IP.To16()
+	} else if AddrIsUnix(addr) {
+		return IPv4LoopbackAddress
+	} else {
+		return nil
 	}
-	return nil
 }
 
 // AddrIsUnix returns whether the address is a unix domain socket.
 	return true
 }
 
+// Convenience to test whether `ip` is contained in any of `nets`.
+func IPInNets(ip net.IP, nets []net.IPNet) bool {
+	for _, network := range nets {
+		if network.Contains(ip) {
+			return true
+		}
+	}
+	return false
+}
+
 // NormalizeIPToNet represents an address (v4 or v6) as the v6 /128 CIDR
 // containing only it.
 func NormalizeIPToNet(addr net.IP) (network net.IPNet) {
 	}
 	return NormalizeIPToNet(ip), nil
 }
+
+// Parse a list of IPs and nets as they would appear in one of our config
+// files, e.g., proxy-allowed-from or a throttling exemption list.
+func ParseNetList(netList []string) (nets []net.IPNet, err error) {
+	var network net.IPNet
+	for _, netStr := range netList {
+		if netStr == "localhost" {
+			ipv4Loopback, _ := NormalizedNetFromString("127.0.0.0/8")
+			ipv6Loopback, _ := NormalizedNetFromString("::1/128")
+			nets = append(nets, ipv4Loopback)
+			nets = append(nets, ipv6Loopback)
+			continue
+		}
+		network, err = NormalizedNetFromString(netStr)
+		if err != nil {
+			return
+		} else {
+			nets = append(nets, network)
+		}
+	}
+	return
+}

oragono.yaml

     # if this is true, the motd is escaped using formatting codes like $c, $b, and $i
     motd-formatting: true
 
-    # addresses/hostnames the PROXY command can be used from
-    # this should be restricted to 127.0.0.1/8 and localhost at most
+    # addresses/CIDRs the PROXY command can be used from
+    # this should be restricted to 127.0.0.1/8 and ::1/128 (unless you have a good reason)
     # you should also add these addresses to the connection limits and throttling exemption lists
     proxy-allowed-from:
         # - localhost
             # password the gateway uses to connect, made with  oragono genpasswd
             password: "$2a$04$sLEFDpIOyUp55e6gTMKbOeroT6tMXTjPFvA0eGvwvImVR9pkwv7ee"
 
-            # hosts that can use this webirc command
+            # addresses/CIDRs that can use this webirc command
             # you should also add these addresses to the connection limits and throttling exemption lists
             hosts:
                 # - localhost
 
         # IPs/networks which are exempted from connection limits
         exempted:
-            - "127.0.0.1"
-            - "127.0.0.1/8"
-            - "::1/128"
+            - "localhost"
+            # - "192.168.1.1"
+            # - "2001:0db8::/32"
 
     # automated connection throttling
     connection-throttling:
 
         # IPs/networks which are exempted from connection limits
         exempted:
-            - "127.0.0.1"
-            - "127.0.0.1/8"
-            - "::1/128"
+            - "localhost"
+            # - "192.168.1.1"
+            # - "2001:0db8::/32"
 
 # account options
 accounts:
     # PASS as well, so it can be configured to authenticate with SASL only.
     skip-server-password: false
 
+    require-sasl:
+        # if this is enabled, all clients must authenticate with SASL:
+        enabled: false
+        # the following IPs/CIDRs are exempted from this requirement:
+        exempted:
+            - "localhost"
+            # - '127.0.0.2'
+            # - '10.10.0.0/16'
+
     # nick-reservation controls how, and whether, nicknames are linked to accounts
     nick-reservation:
         # is there any enforcement of reserved nicknames?