mirror of
https://github.com/tobychui/zoraxy.git
synced 2025-06-06 23:57:21 +02:00
Added access control bypass for /.well-known router
This commit is contained in:
Toby Chui
parent
741d3f8de1
commit
44ac7144ec
@ -69,7 +69,8 @@ func acmeRegisterSpecialRoutingRule() {
|
|||||||
}
|
}
|
||||||
w.Write(resBody)
|
w.Write(resBody)
|
||||||
},
|
},
|
||||||
Enabled: true,
|
Enabled: true,
|
||||||
|
UseSystemAccessControl: false,
|
||||||
})
|
})
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
@ -23,35 +23,32 @@ import (
|
|||||||
|
|
||||||
func (h *ProxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
func (h *ProxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||||
/*
|
/*
|
||||||
General Access Check
|
Special Routing Rules, bypass most of the limitations
|
||||||
*/
|
*/
|
||||||
|
|
||||||
//Check if this ip is in blacklist
|
//Check if there are external routing rule matches.
|
||||||
clientIpAddr := geodb.GetRequesterIP(r)
|
//If yes, route them via external rr
|
||||||
if h.Parent.Option.GeodbStore.IsBlacklisted(clientIpAddr) {
|
matchedRoutingRule := h.Parent.GetMatchingRoutingRule(r)
|
||||||
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
if matchedRoutingRule != nil {
|
||||||
w.WriteHeader(http.StatusForbidden)
|
//Matching routing rule found. Let the sub-router handle it
|
||||||
template, err := os.ReadFile("./web/forbidden.html")
|
if matchedRoutingRule.UseSystemAccessControl {
|
||||||
if err != nil {
|
//This matching rule request system access control.
|
||||||
w.Write([]byte("403 - Forbidden"))
|
//check access logic
|
||||||
} else {
|
respWritten := h.handleAccessRouting(w, r)
|
||||||
w.Write(template)
|
if respWritten {
|
||||||
|
return
|
||||||
|
}
|
||||||
}
|
}
|
||||||
h.logRequest(r, false, 403, "blacklist", "")
|
matchedRoutingRule.Route(w, r)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
//Check if this ip is in whitelist
|
/*
|
||||||
if !h.Parent.Option.GeodbStore.IsWhitelisted(clientIpAddr) {
|
General Access Check
|
||||||
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
*/
|
||||||
w.WriteHeader(http.StatusForbidden)
|
|
||||||
template, err := os.ReadFile("./web/forbidden.html")
|
respWritten := h.handleAccessRouting(w, r)
|
||||||
if err != nil {
|
if respWritten {
|
||||||
w.Write([]byte("403 - Forbidden"))
|
|
||||||
} else {
|
|
||||||
w.Write(template)
|
|
||||||
}
|
|
||||||
h.logRequest(r, false, 403, "whitelist", "")
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -65,15 +62,6 @@ func (h *ProxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
//Check if there are external routing rule matches.
|
|
||||||
//If yes, route them via external rr
|
|
||||||
matchedRoutingRule := h.Parent.GetMatchingRoutingRule(r)
|
|
||||||
if matchedRoutingRule != nil {
|
|
||||||
//Matching routing rule found. Let the sub-router handle it
|
|
||||||
matchedRoutingRule.Route(w, r)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
//Extract request host to see if it is virtual directory or subdomain
|
//Extract request host to see if it is virtual directory or subdomain
|
||||||
domainOnly := r.Host
|
domainOnly := r.Host
|
||||||
if strings.Contains(r.Host, ":") {
|
if strings.Contains(r.Host, ":") {
|
||||||
@ -127,3 +115,38 @@ func (h *ProxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|||||||
h.proxyRequest(w, r, h.Parent.Root)
|
h.proxyRequest(w, r, h.Parent.Root)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Handle access routing logic. Return true if the request is handled or blocked by the access control logic
|
||||||
|
// if the return value is false, you can continue process the response writer
|
||||||
|
func (h *ProxyHandler) handleAccessRouting(w http.ResponseWriter, r *http.Request) bool {
|
||||||
|
//Check if this ip is in blacklist
|
||||||
|
clientIpAddr := geodb.GetRequesterIP(r)
|
||||||
|
if h.Parent.Option.GeodbStore.IsBlacklisted(clientIpAddr) {
|
||||||
|
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
||||||
|
w.WriteHeader(http.StatusForbidden)
|
||||||
|
template, err := os.ReadFile("./web/forbidden.html")
|
||||||
|
if err != nil {
|
||||||
|
w.Write([]byte("403 - Forbidden"))
|
||||||
|
} else {
|
||||||
|
w.Write(template)
|
||||||
|
}
|
||||||
|
h.logRequest(r, false, 403, "blacklist", "")
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
//Check if this ip is in whitelist
|
||||||
|
if !h.Parent.Option.GeodbStore.IsWhitelisted(clientIpAddr) {
|
||||||
|
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
||||||
|
w.WriteHeader(http.StatusForbidden)
|
||||||
|
template, err := os.ReadFile("./web/forbidden.html")
|
||||||
|
if err != nil {
|
||||||
|
w.Write([]byte("403 - Forbidden"))
|
||||||
|
} else {
|
||||||
|
w.Write(template)
|
||||||
|
}
|
||||||
|
h.logRequest(r, false, 403, "whitelist", "")
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|||||||
@ -13,10 +13,11 @@ import (
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
type RoutingRule struct {
|
type RoutingRule struct {
|
||||||
ID string
|
ID string //ID of the routing rule
|
||||||
MatchRule func(r *http.Request) bool
|
Enabled bool //If the routing rule enabled
|
||||||
RoutingHandler func(http.ResponseWriter, *http.Request)
|
UseSystemAccessControl bool //Pass access control check to system white/black list, set this to false to bypass white/black list
|
||||||
Enabled bool
|
MatchRule func(r *http.Request) bool
|
||||||
|
RoutingHandler func(http.ResponseWriter, *http.Request)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Router functions
|
// Router functions
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user