home: imp auth
This commit is contained in:
parent
da0d1cb754
commit
d317e19291
|
@ -98,10 +98,10 @@ type FilteringConfig struct {
|
||||||
AllowedClients []string `yaml:"allowed_clients"` // IP addresses of whitelist clients
|
AllowedClients []string `yaml:"allowed_clients"` // IP addresses of whitelist clients
|
||||||
DisallowedClients []string `yaml:"disallowed_clients"` // IP addresses of clients that should be blocked
|
DisallowedClients []string `yaml:"disallowed_clients"` // IP addresses of clients that should be blocked
|
||||||
BlockedHosts []string `yaml:"blocked_hosts"` // hosts that should be blocked
|
BlockedHosts []string `yaml:"blocked_hosts"` // hosts that should be blocked
|
||||||
// TrustedProxies is the list of IP addresses and CIDR networks to
|
// TrustedProxies is the list of IP addresses and CIDR networks to detect
|
||||||
// detect proxy servers addresses the DoH requests from which should be
|
// proxy servers addresses the DoH requests from which should be handled.
|
||||||
// handled. The value of nil or an empty slice for this field makes
|
// The value of nil or an empty slice for this field makes Proxy not trust
|
||||||
// Proxy not trust any address.
|
// any address.
|
||||||
TrustedProxies []string `yaml:"trusted_proxies"`
|
TrustedProxies []string `yaml:"trusted_proxies"`
|
||||||
|
|
||||||
// DNS cache settings
|
// DNS cache settings
|
||||||
|
|
|
@ -403,8 +403,8 @@ func realIP(r *http.Request) (ip net.IP, err error) {
|
||||||
return ip, nil
|
return ip, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// When everything else fails, just return the remote address as
|
// When everything else fails, just return the remote address as understood
|
||||||
// understood by the stdlib.
|
// by the stdlib.
|
||||||
ipStr, err := netutil.SplitHost(r.RemoteAddr)
|
ipStr, err := netutil.SplitHost(r.RemoteAddr)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("getting ip from client addr: %w", err)
|
return nil, fmt.Errorf("getting ip from client addr: %w", err)
|
||||||
|
@ -423,7 +423,8 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
}
|
||||||
|
|
||||||
var remoteAddr string
|
var remoteAddr string
|
||||||
// The realIP couldn't be used here due to security issues.
|
// realIP cannot be used here without taking TrustedProxies into accound due
|
||||||
|
// to security issues.
|
||||||
//
|
//
|
||||||
// See https://github.com/AdguardTeam/AdGuardHome/issues/2799.
|
// See https://github.com/AdguardTeam/AdGuardHome/issues/2799.
|
||||||
//
|
//
|
||||||
|
@ -437,12 +438,7 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
|
||||||
if blocker := Context.auth.blocker; blocker != nil {
|
if blocker := Context.auth.blocker; blocker != nil {
|
||||||
if left := blocker.check(remoteAddr); left > 0 {
|
if left := blocker.check(remoteAddr); left > 0 {
|
||||||
w.Header().Set("Retry-After", strconv.Itoa(int(left.Seconds())))
|
w.Header().Set("Retry-After", strconv.Itoa(int(left.Seconds())))
|
||||||
httpError(
|
httpError(w, http.StatusTooManyRequests, "auth: blocked for %s", left)
|
||||||
w,
|
|
||||||
http.StatusTooManyRequests,
|
|
||||||
"auth: blocked for %s",
|
|
||||||
left,
|
|
||||||
)
|
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -456,18 +452,18 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
var ip net.IP
|
// Use realIP here, since this IP address is only used for logging.
|
||||||
ip, err = realIP(r)
|
ip, err := realIP(r)
|
||||||
|
|
||||||
if len(cookie) == 0 {
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Info("auth: getting real ip from request: %s", err)
|
log.Error("auth: getting real ip from request: %s", err)
|
||||||
} else if ip == nil {
|
} else if ip == nil {
|
||||||
// Technically shouldn't happen.
|
// Technically shouldn't happen.
|
||||||
log.Info("auth: failed to login user %q from unknown ip", req.Name)
|
log.Error("auth: unknown ip")
|
||||||
} else {
|
|
||||||
log.Info("auth: failed to login user %q from ip %q", req.Name, ip)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if len(cookie) == 0 {
|
||||||
|
log.Info("auth: failed to login user %q from ip %v", req.Name, ip)
|
||||||
|
|
||||||
time.Sleep(1 * time.Second)
|
time.Sleep(1 * time.Second)
|
||||||
|
|
||||||
http.Error(w, "invalid username or password", http.StatusBadRequest)
|
http.Error(w, "invalid username or password", http.StatusBadRequest)
|
||||||
|
@ -475,20 +471,13 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if err != nil {
|
log.Info("auth: user %q successfully logged in from ip %v", req.Name, ip)
|
||||||
log.Info("auth: getting real ip from request: %s", err)
|
|
||||||
} else if ip == nil {
|
|
||||||
// Technically shouldn't happen.
|
|
||||||
log.Info("auth: user %q successfully logged in from unknown ip", req.Name)
|
|
||||||
} else {
|
|
||||||
log.Info("auth: user %q successfully logged in from ip %q", req.Name, ip)
|
|
||||||
}
|
|
||||||
|
|
||||||
w.Header().Set("Set-Cookie", cookie)
|
h := w.Header()
|
||||||
|
h.Set("Set-Cookie", cookie)
|
||||||
w.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate, proxy-revalidate")
|
h.Set("Cache-Control", "no-store, no-cache, must-revalidate, proxy-revalidate")
|
||||||
w.Header().Set("Pragma", "no-cache")
|
h.Set("Pragma", "no-cache")
|
||||||
w.Header().Set("Expires", "0")
|
h.Set("Expires", "0")
|
||||||
|
|
||||||
returnOK(w)
|
returnOK(w)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue