Added #263

- Added IP / CIDR as Basic Auth exclusion rule - Fixed side frame not closing when open proxy rule editor bug
2025-11-08 18:04:09 +01:00 · 2025-08-17 14:25:38 +08:00
parent 2daf3cd2cb
commit c2866f27f8
5 changed files with 277 additions and 50 deletions
--- a/src/mod/dynamicproxy/authProviders.go
+++ b/src/mod/dynamicproxy/authProviders.go
@@ -6,6 +6,7 @@ import (
 	"strings"

 	"imuslab.com/zoraxy/mod/auth"
+	"imuslab.com/zoraxy/mod/netutils"
 )

 /*
@@ -70,9 +71,36 @@ func handleBasicAuth(w http.ResponseWriter, r *http.Request, pe *ProxyEndpoint)
 	if len(pe.AuthenticationProvider.BasicAuthExceptionRules) > 0 {
 		//Check if the current path matches the exception rules
 		for _, exceptionRule := range pe.AuthenticationProvider.BasicAuthExceptionRules {
-			if strings.HasPrefix(r.RequestURI, exceptionRule.PathPrefix) {
-				//This path is excluded from basic auth
-				return nil
+			exceptionType := exceptionRule.RuleType
+			switch exceptionType {
+			case AuthExceptionType_Paths:
+				if strings.HasPrefix(r.RequestURI, exceptionRule.PathPrefix) {
+					//This path is excluded from basic auth
+					return nil
+				}
+			case AuthExceptionType_CIDR:
+				requesterIp := netutils.GetRequesterIP(r)
+				if requesterIp != "" {
+					if requesterIp == exceptionRule.CIDR {
+						// This IP is excluded from basic auth
+						return nil
+					}
+
+					wildcardMatch := netutils.MatchIpWildcard(requesterIp, exceptionRule.CIDR)
+					if wildcardMatch {
+						// This IP is excluded from basic auth
+						return nil
+					}
+
+					cidrMatch := netutils.MatchIpCIDR(requesterIp, exceptionRule.CIDR)
+					if cidrMatch {
+						// This IP is excluded from basic auth
+						return nil
+					}
+				}
+			default:
+				//Unknown exception type, skip this rule
+				continue
 			}
 		}
 	}
--- a/src/mod/dynamicproxy/typedef.go
+++ b/src/mod/dynamicproxy/typedef.go
@@ -106,9 +106,18 @@ type BasicAuthUnhashedCredentials struct {
 	Password string
 }

+type AuthExceptionType int
+
+const (
+	AuthExceptionType_Paths AuthExceptionType = iota //Path exception, match by path prefix
+	AuthExceptionType_CIDR                           //CIDR exception, match by CIDR
+)
+
 // Paths to exclude in basic auth enabled proxy handler
 type BasicAuthExceptionRule struct {
-	PathPrefix string
+	RuleType   AuthExceptionType //The type of the exception rule
+	PathPrefix string            //Path prefix to match, e.g. /api/v1/
+	CIDR       string            //CIDR to match, e.g. 192.168.1.0/24 or IP address, e.g. 192.168.1.1
 }

 /* Routing Rule Data Structures */