feat: block by ip

leomotors · Dec 23, 2023 · 23a4a76 · 23a4a76
1 parent 55ffbe9
commit 23a4a76
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 Previous changelog before 1.7 will not be noted here.
 
+## [2.3.0] - 2023-12-23
+
+- feat: only allow local ip in some path for system that don't use nginx
+
 ## [2.2.1] - 2023-12-21
 
 - feat: add arm64 docker image

diff --git a/server/cmd/main.go b/server/cmd/main.go
@@ -36,8 +36,8 @@ func main() {
 	})
 
 	mux.Handle("/data", routes.DataGetHandler)
-	mux.Handle("/metrics", routes.MetricsHandler)
-	mux.Handle("/update", routes.UpdatePostHandler)
+	mux.Handle("/metrics", middlewares.LocalOnly(routes.MetricsHandler))
+	mux.Handle("/update", middlewares.LocalOnly(routes.UpdatePostHandler))
 
 	wrappedMux := middlewares.Logger(mux)
 

diff --git a/server/middlewares/localonly.go b/server/middlewares/localonly.go
@@ -0,0 +1,41 @@
+package middlewares
+
+import (
+	"net/http"
+	"strconv"
+	"strings"
+)
+
+func isLocalIP(ip string) bool {
+	if ip[0:7] == "192.168" || ip[0:3] == "10." {
+		return true
+	}
+
+	if ip[0:4] != "172." {
+		return false
+	}
+
+	tokens := strings.Split(ip, ".")
+
+	if len(tokens) != 4 {
+		return false
+	}
+
+	i, _ := strconv.Atoi(tokens[1])
+
+	return i >= 16 && i <= 31
+}
+
+func LocalOnly(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ip := getIP(r)
+
+		// Start with 172 or 192 only
+		if !isLocalIP(ip) {
+			http.Error(w, "Forbidden", http.StatusForbidden)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
diff --git a/server/middlewares/localonly_test.go b/server/middlewares/localonly_test.go
@@ -0,0 +1,25 @@
+package middlewares
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsLocalIP(t *testing.T) {
+	assert.True(t, isLocalIP("192.168.1.112"))
+	assert.True(t, isLocalIP("192.168.10.123"))
+
+	assert.False(t, isLocalIP("48.123.45.67"))
+	assert.False(t, isLocalIP("192.166.69.420"))
+
+	assert.True(t, isLocalIP("172.24.0.1"))
+	assert.True(t, isLocalIP("172.18.0.1"))
+
+	assert.False(t, isLocalIP("172.32.0.0"))
+	assert.False(t, isLocalIP("172.15.0.0"))
+
+	assert.False(t, isLocalIP("invalid string"))
+	assert.False(t, isLocalIP("1234:5678:abcd:efgh:ijkl:mnop:qrst:uvwx"))
+	assert.False(t, isLocalIP("172.24.0"))
+}