This commit is contained in:
Vladislav Yarmak 2022-09-14 21:52:19 +03:00
parent 8f338e0c62
commit c09b293ded
2 changed files with 20 additions and 18 deletions

30
auth.go
View File

@ -23,7 +23,7 @@ const AUTH_TRIGGERED_MSG = "Browser auth triggered!\n"
const EPOCH_EXPIRE = "Thu, 01 Jan 1970 00:00:01 GMT" const EPOCH_EXPIRE = "Thu, 01 Jan 1970 00:00:01 GMT"
type Auth interface { type Auth interface {
Validate(wr http.ResponseWriter, req *http.Request) bool Validate(wr http.ResponseWriter, req *http.Request) (string, bool)
Stop() Stop()
} }
@ -191,29 +191,29 @@ func (auth *BasicAuth) reloadLoop(interval time.Duration) {
} }
} }
func (auth *BasicAuth) Validate(wr http.ResponseWriter, req *http.Request) bool { func (auth *BasicAuth) Validate(wr http.ResponseWriter, req *http.Request) (string, bool) {
hdr := req.Header.Get("Proxy-Authorization") hdr := req.Header.Get("Proxy-Authorization")
if hdr == "" { if hdr == "" {
requireBasicAuth(wr, req, auth.hiddenDomain) requireBasicAuth(wr, req, auth.hiddenDomain)
return false return "", false
} }
hdr_parts := strings.SplitN(hdr, " ", 2) hdr_parts := strings.SplitN(hdr, " ", 2)
if len(hdr_parts) != 2 || strings.ToLower(hdr_parts[0]) != "basic" { if len(hdr_parts) != 2 || strings.ToLower(hdr_parts[0]) != "basic" {
requireBasicAuth(wr, req, auth.hiddenDomain) requireBasicAuth(wr, req, auth.hiddenDomain)
return false return "", false
} }
token := hdr_parts[1] token := hdr_parts[1]
data, err := base64.StdEncoding.DecodeString(token) data, err := base64.StdEncoding.DecodeString(token)
if err != nil { if err != nil {
requireBasicAuth(wr, req, auth.hiddenDomain) requireBasicAuth(wr, req, auth.hiddenDomain)
return false return "", false
} }
pair := strings.SplitN(string(data), ":", 2) pair := strings.SplitN(string(data), ":", 2)
if len(pair) != 2 { if len(pair) != 2 {
requireBasicAuth(wr, req, auth.hiddenDomain) requireBasicAuth(wr, req, auth.hiddenDomain)
return false return "", false
} }
login := pair[0] login := pair[0]
@ -233,13 +233,13 @@ func (auth *BasicAuth) Validate(wr http.ResponseWriter, req *http.Request) bool
wr.Header()["Date"] = nil wr.Header()["Date"] = nil
wr.WriteHeader(http.StatusOK) wr.WriteHeader(http.StatusOK)
wr.Write([]byte(AUTH_TRIGGERED_MSG)) wr.Write([]byte(AUTH_TRIGGERED_MSG))
return false return "", false
} else { } else {
return true return login, true
} }
} }
requireBasicAuth(wr, req, auth.hiddenDomain) requireBasicAuth(wr, req, auth.hiddenDomain)
return false return "", false
} }
func (auth *BasicAuth) Stop() { func (auth *BasicAuth) Stop() {
@ -250,20 +250,20 @@ func (auth *BasicAuth) Stop() {
type NoAuth struct{} type NoAuth struct{}
func (_ NoAuth) Validate(wr http.ResponseWriter, req *http.Request) bool { func (_ NoAuth) Validate(wr http.ResponseWriter, req *http.Request) (string, bool) {
return true return "", true
} }
func (_ NoAuth) Stop() {} func (_ NoAuth) Stop() {}
type CertAuth struct{} type CertAuth struct{}
func (_ CertAuth) Validate(wr http.ResponseWriter, req *http.Request) bool { func (_ CertAuth) Validate(wr http.ResponseWriter, req *http.Request) (string, bool) {
if req.TLS == nil || len(req.TLS.VerifiedChains) < 1 { if req.TLS == nil || len(req.TLS.VerifiedChains) < 1 || len(req.TLS.VerifiedChains[0]) < 1 {
http.Error(wr, BAD_REQ_MSG, http.StatusBadRequest) http.Error(wr, BAD_REQ_MSG, http.StatusBadRequest)
return false return "", false
} else { } else {
return true return req.TLS.VerifiedChains[0][0].Subject.String(), true
} }
} }

View File

@ -106,8 +106,6 @@ func (s *ProxyHandler) isLoopback(req *http.Request) (string, bool) {
} }
func (s *ProxyHandler) ServeHTTP(wr http.ResponseWriter, req *http.Request) { func (s *ProxyHandler) ServeHTTP(wr http.ResponseWriter, req *http.Request) {
s.logger.Info("Request: %v %v %v %v", req.RemoteAddr, req.Proto, req.Method, req.URL)
if originator, isLoopback := s.isLoopback(req); isLoopback { if originator, isLoopback := s.isLoopback(req); isLoopback {
s.logger.Critical("Loopback tunnel detected: %s is an outbound "+ s.logger.Critical("Loopback tunnel detected: %s is an outbound "+
"address for another request from %s", req.RemoteAddr, originator) "address for another request from %s", req.RemoteAddr, originator)
@ -121,7 +119,11 @@ func (s *ProxyHandler) ServeHTTP(wr http.ResponseWriter, req *http.Request) {
http.Error(wr, BAD_REQ_MSG, http.StatusBadRequest) http.Error(wr, BAD_REQ_MSG, http.StatusBadRequest)
return return
} }
if !s.auth.Validate(wr, req) {
username, ok := s.auth.Validate(wr, req)
s.logger.Info("Request: %v %q %v %v %v", req.RemoteAddr, username, req.Proto, req.Method, req.URL)
if !ok {
return return
} }
delHopHeaders(req.Header) delHopHeaders(req.Header)