home: imp auth

This commit is contained in:
Ainar Garipov 2021-12-22 21:27:36 +03:00
parent da0d1cb754
commit d317e19291
2 changed files with 26 additions and 37 deletions

View File

@ -98,10 +98,10 @@ type FilteringConfig struct {
AllowedClients []string `yaml:"allowed_clients"` // IP addresses of whitelist clients AllowedClients []string `yaml:"allowed_clients"` // IP addresses of whitelist clients
DisallowedClients []string `yaml:"disallowed_clients"` // IP addresses of clients that should be blocked DisallowedClients []string `yaml:"disallowed_clients"` // IP addresses of clients that should be blocked
BlockedHosts []string `yaml:"blocked_hosts"` // hosts that should be blocked BlockedHosts []string `yaml:"blocked_hosts"` // hosts that should be blocked
// TrustedProxies is the list of IP addresses and CIDR networks to // TrustedProxies is the list of IP addresses and CIDR networks to detect
// detect proxy servers addresses the DoH requests from which should be // proxy servers addresses the DoH requests from which should be handled.
// handled. The value of nil or an empty slice for this field makes // The value of nil or an empty slice for this field makes Proxy not trust
// Proxy not trust any address. // any address.
TrustedProxies []string `yaml:"trusted_proxies"` TrustedProxies []string `yaml:"trusted_proxies"`
// DNS cache settings // DNS cache settings

View File

@ -403,8 +403,8 @@ func realIP(r *http.Request) (ip net.IP, err error) {
return ip, nil return ip, nil
} }
// When everything else fails, just return the remote address as // When everything else fails, just return the remote address as understood
// understood by the stdlib. // by the stdlib.
ipStr, err := netutil.SplitHost(r.RemoteAddr) ipStr, err := netutil.SplitHost(r.RemoteAddr)
if err != nil { if err != nil {
return nil, fmt.Errorf("getting ip from client addr: %w", err) return nil, fmt.Errorf("getting ip from client addr: %w", err)
@ -423,7 +423,8 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
} }
var remoteAddr string var remoteAddr string
// The realIP couldn't be used here due to security issues. // realIP cannot be used here without taking TrustedProxies into accound due
// to security issues.
// //
// See https://github.com/AdguardTeam/AdGuardHome/issues/2799. // See https://github.com/AdguardTeam/AdGuardHome/issues/2799.
// //
@ -437,12 +438,7 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
if blocker := Context.auth.blocker; blocker != nil { if blocker := Context.auth.blocker; blocker != nil {
if left := blocker.check(remoteAddr); left > 0 { if left := blocker.check(remoteAddr); left > 0 {
w.Header().Set("Retry-After", strconv.Itoa(int(left.Seconds()))) w.Header().Set("Retry-After", strconv.Itoa(int(left.Seconds())))
httpError( httpError(w, http.StatusTooManyRequests, "auth: blocked for %s", left)
w,
http.StatusTooManyRequests,
"auth: blocked for %s",
left,
)
return return
} }
@ -455,40 +451,33 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
return return
} }
var ip net.IP // Use realIP here, since this IP address is only used for logging.
ip, err = realIP(r) ip, err := realIP(r)
if err != nil {
log.Error("auth: getting real ip from request: %s", err)
} else if ip == nil {
// Technically shouldn't happen.
log.Error("auth: unknown ip")
}
if len(cookie) == 0 { if len(cookie) == 0 {
if err != nil { log.Info("auth: failed to login user %q from ip %v", req.Name, ip)
log.Info("auth: getting real ip from request: %s", err)
} else if ip == nil {
// Technically shouldn't happen.
log.Info("auth: failed to login user %q from unknown ip", req.Name)
} else {
log.Info("auth: failed to login user %q from ip %q", req.Name, ip)
}
time.Sleep(1 * time.Second) time.Sleep(1 * time.Second)
http.Error(w, "invalid username or password", http.StatusBadRequest) http.Error(w, "invalid username or password", http.StatusBadRequest)
return return
} }
if err != nil {
log.Info("auth: getting real ip from request: %s", err)
} else if ip == nil {
// Technically shouldn't happen.
log.Info("auth: user %q successfully logged in from unknown ip", req.Name)
} else {
log.Info("auth: user %q successfully logged in from ip %q", req.Name, ip)
}
w.Header().Set("Set-Cookie", cookie) log.Info("auth: user %q successfully logged in from ip %v", req.Name, ip)
w.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate, proxy-revalidate") h := w.Header()
w.Header().Set("Pragma", "no-cache") h.Set("Set-Cookie", cookie)
w.Header().Set("Expires", "0") h.Set("Cache-Control", "no-store, no-cache, must-revalidate, proxy-revalidate")
h.Set("Pragma", "no-cache")
h.Set("Expires", "0")
returnOK(w) returnOK(w)
} }