diff --git a/.changeset/seven-glasses-rest.md b/.changeset/seven-glasses-rest.md new file mode 100644 index 0000000000..d2b327962b --- /dev/null +++ b/.changeset/seven-glasses-rest.md @@ -0,0 +1,8 @@ +--- +"@scow/gateway": minor +"@scow/cli": minor +"@scow/docs": minor +"@scow/auth": patch +--- + +修复 scow 存在的 web 安全漏洞 diff --git a/apps/auth/views/login.liquid b/apps/auth/views/login.liquid index 32a6c7e704..8ed26851cd 100644 --- a/apps/auth/views/login.liquid +++ b/apps/auth/views/login.liquid @@ -97,7 +97,7 @@ {% endif %} - + {% if err %}

{{ authTexts.login.invalidInput }}

@@ -116,7 +116,7 @@ - + {% endif %} diff --git a/apps/auth/views/otp/bindOtp.liquid b/apps/auth/views/otp/bindOtp.liquid index 2344cc22dc..ed7844be9c 100644 --- a/apps/auth/views/otp/bindOtp.liquid +++ b/apps/auth/views/otp/bindOtp.liquid @@ -23,7 +23,7 @@ - + {% unless bindLimitMinutes %} @@ -53,7 +53,7 @@ {{ authTexts.bindOtp.confirm }} - + {% else %} @@ -113,7 +113,7 @@ - + {% endunless %} diff --git a/apps/auth/views/otp/qrcode.liquid b/apps/auth/views/otp/qrcode.liquid index e543e1601c..e84ebb0e76 100644 --- a/apps/auth/views/otp/qrcode.liquid +++ b/apps/auth/views/otp/qrcode.liquid @@ -4,5 +4,5 @@ + value="{{ callbackUrl | escape }}"> diff --git a/apps/cli/assets/install.yaml b/apps/cli/assets/install.yaml index 88f6e6cff5..606ed39d06 100644 --- a/apps/cli/assets/install.yaml +++ b/apps/cli/assets/install.yaml @@ -129,6 +129,9 @@ # include includes/headers; # include includes/websocket; # } +# # 允许访问的域名或 IP,多个域名或 IP 间用空格隔开 +# # 默认接受所有域名和 IP,"_" 即表示接受所有域名和 IP +# allowedServerName: "_" # 插件配置 # plugins: diff --git a/apps/cli/src/compose/index.ts b/apps/cli/src/compose/index.ts index 26b7e04fbd..5ee39cf6a9 100644 --- a/apps/cli/src/compose/index.ts +++ b/apps/cli/src/compose/index.ts @@ -113,6 +113,10 @@ export const createComposeSpec = (config: InstallConfigSchema) => { const publicPath = "/__public__/"; const publicDir = "/app/apps/gateway/public/"; + const defaultServerBlock = `server { + listen 80 default_server; + return 444; + }`; // GATEWAY addService("gateway", { image: scowImage, @@ -126,6 +130,8 @@ export const createComposeSpec = (config: InstallConfigSchema) => { "PUBLIC_PATH": publicPath, "PUBLIC_DIR": publicDir, "EXTRA": config.gateway.extra, + "ALLOWED_SERVER_NAME": config.gateway.allowedServerName, + "DEFAULT_SERVER_BLOCK": config.gateway.allowedServerName === "_" ? "" : defaultServerBlock, }, ports: { [config.port]: 80 }, volumes: { diff --git a/apps/cli/src/config/install.ts b/apps/cli/src/config/install.ts index f215722737..0a22ce6e5e 100644 --- a/apps/cli/src/config/install.ts +++ b/apps/cli/src/config/install.ts @@ -45,6 +45,11 @@ export const InstallConfigSchema = Type.Object({ description: "更多nginx配置,可接受的格式为nginx的server可接受的属性配置,可增加在当前系统nginx端口(默认80)的服务等", default: "", }), + + allowedServerName: Type.String({ + description: "允许访问的域名或 IP", + default: "_", + }), }, { default: {} }), portal: Type.Optional(Type.Object({ diff --git a/apps/gateway/assets/nginx.conf b/apps/gateway/assets/nginx.conf index 0e12dc0804..b823bc0cae 100644 --- a/apps/gateway/assets/nginx.conf +++ b/apps/gateway/assets/nginx.conf @@ -1,5 +1,7 @@ server { + server_name ${ALLOWED_SERVER_NAME}; + resolver ${RESOLVER} valid=10s; resolver_timeout 5s; @@ -60,3 +62,5 @@ server { ${EXTRA} } + +${DEFAULT_SERVER_BLOCK} diff --git a/apps/gateway/src/env.ts b/apps/gateway/src/env.ts index 18993d5e82..ebc44ad0cd 100644 --- a/apps/gateway/src/env.ts +++ b/apps/gateway/src/env.ts @@ -35,5 +35,8 @@ export const config = envConfig({ PUBLIC_DIR: str({ desc: "静态文件在文件系统中的路径。以/结尾", default: "/app/apps/gateway/public/" }), PUBLIC_PATH: str({ desc: "静态文件路径前缀。以/开头,以/结尾", default: "/__public__/" }), + + ALLOWED_SERVER_NAME: str({ desc: "允许访问的域名或 IP,多个域名和 IP 间用空格隔开", default: "_" }), + DEFAULT_SERVER_BLOCK: str({ desc: "当配置了ALLOWED_SERVER_NAME为特定IP或域名时,设置默认服务块拒绝其他访问", default: "" }), }); diff --git a/docs/docs/deploy/config/gateway/config/index.md b/docs/docs/deploy/config/gateway/config/index.md index 124d7b1be2..5319593627 100644 --- a/docs/docs/deploy/config/gateway/config/index.md +++ b/docs/docs/deploy/config/gateway/config/index.md @@ -15,15 +15,29 @@ title: 配置 ```yaml title="install.yml" # 网关配置 gateway: - # 更多nginx配置 - extra: > - location /extra { - proxy_pass http://extra-web:3000; - include includes/headers; - include includes/websocket; - } + # 更多nginx配置 + extra: > + location /extra { + proxy_pass http://extra-web:3000; + include includes/headers; + include includes/websocket; + } ``` 您增加`extra`配置后,可以在使用`./cli compose up -d`启动scow后,使用 ` ./cli compose exec gateway sh` 进入gateway服务,在 `/etc/nginx/http.d` 目录下的 `default.conf` 文件最下方查看到您添加的配置。 如果gateway服务启动失败,说明您的配置不符合规范,请保证其正确性。 +## 域名白名单配置 + +scow 网关默认不限制 HTTP Host 头 + +为了防止 host 头攻击的发生,可以通过设置域名白名单来限制 Host 的域名或 IP + +``` +gateway: + # 同 nginx server_name 配置 + allowedServerName: example.com www.example.com +``` + +多个域名或 IP 间用空格间隔即可。 +