summaryrefslogtreecommitdiff
path: root/Run
diff options
context:
space:
mode:
authorBen Sima <ben@bsima.me>2020-03-31 21:31:20 -0700
committerBen Sima <ben@bsima.me>2020-03-31 21:31:20 -0700
commitb0307e5cafa71724503684575bcece762b203723 (patch)
tree32dcc61a1b621a2911a5b8069b5479831bd8457a /Run
parent8f916d18e598c460274008808e996e1ece45aeee (diff)
Finally fixed the guardIP thing
Turns out the ultimate reason was that I wasn't actually returning out of the handler, I was just setting the HTTP status. Now I'm sure that it works correctly.
Diffstat (limited to 'Run')
-rw-r--r--Run/Que/Server.hs22
-rw-r--r--Run/Que/service.nix3
2 files changed, 12 insertions, 13 deletions
diff --git a/Run/Que/Server.hs b/Run/Que/Server.hs
index e0327a5..218c821 100644
--- a/Run/Que/Server.hs
+++ b/Run/Que/Server.hs
@@ -29,7 +29,6 @@ import Data.Text.Lazy ( Text
, fromStrict
)
import qualified Network.HTTP.Types.Status as Http
-import qualified Network.Socket as Socket
import qualified Network.Wai as Wai
import qualified Network.Wai.Handler.Warp as Warp
import Network.Wai.Middleware.RequestLogger
@@ -67,14 +66,6 @@ data Error = ErrorParsingOptions
instance Exception.Exception Error
--- | Only allow my IP or local to access some route.
-guardIP :: Wai.Request -> Scotty.ActionT Text App ()
-guardIP r = case Wai.remoteHost r of
- Socket.SockAddrInet _ ip | ip `elem` allowed -> Scotty.status Http.ok200
- _ -> Scotty.status Http.methodNotAllowed405
- where
- allowed = Socket.tupleToHostAddress </ [(73, 222, 221, 62), (127, 0, 0, 1)]
-
routes :: Scotty.ScottyT Text App ()
routes = do
Scotty.middleware logStdout
@@ -111,10 +102,17 @@ routes = do
--
-- Put a value on a que. Returns immediately.
Scotty.post (Scotty.regex quepath) <| do
- r <- Scotty.request
+ xFwdHost <- Scotty.header "X-Forwarded-Host"
+ xRealIP <- Scotty.header "X-Real-IP"
+ host <- Scotty.header "Host"
(ns, qp) <- extract
- -- "_" is a special, internal namespace that only I can use
- when ("_" == ns) <| guardIP r
+ -- Only allow my IP or localhost to access '_' namespace
+ when ("_" == ns) <| case (xFwdHost, xRealIP, host) of
+ (Just "73.222.221.62", _, _) -> Scotty.status Http.ok200
+ (_, Just "73.222.221.62", _) -> Scotty.status Http.ok200
+ (Just "::1", Just "::1", Just "localhost") -> Scotty.status Http.ok200
+ _ -> Scotty.status Http.methodNotAllowed405
+ >> Scotty.text "error 405 not allowed: _ is a reserved namespace"
app . modify <| upsertNamespace ns
q <- app <| que ns qp
qdata <- Scotty.body
diff --git a/Run/Que/service.nix b/Run/Que/service.nix
index 1d82bd6..aa68657 100644
--- a/Run/Que/service.nix
+++ b/Run/Que/service.nix
@@ -61,7 +61,8 @@ in
locations."/" = {
proxyPass = "http://localhost:${toString cfg.port}";
extraConfig = ''
- # forward the headers so the `guardIP` function works properly
+ proxy_set_header X-Real-IP $realip_remote_addr;
+ proxy_set_header X-Forwarded-Host $remote_addr;
proxy_pass_request_headers on;
'';
};