diff options
author | Ben Sima <ben@bsima.me> | 2020-03-31 21:31:20 -0700 |
---|---|---|
committer | Ben Sima <ben@bsima.me> | 2020-03-31 21:31:20 -0700 |
commit | b0307e5cafa71724503684575bcece762b203723 (patch) | |
tree | 32dcc61a1b621a2911a5b8069b5479831bd8457a /Run | |
parent | 8f916d18e598c460274008808e996e1ece45aeee (diff) |
Finally fixed the guardIP thing
Turns out the ultimate reason was that I wasn't actually returning out
of the handler, I was just setting the HTTP status. Now I'm sure that it
works correctly.
Diffstat (limited to 'Run')
-rw-r--r-- | Run/Que/Server.hs | 22 | ||||
-rw-r--r-- | Run/Que/service.nix | 3 |
2 files changed, 12 insertions, 13 deletions
diff --git a/Run/Que/Server.hs b/Run/Que/Server.hs index e0327a5..218c821 100644 --- a/Run/Que/Server.hs +++ b/Run/Que/Server.hs @@ -29,7 +29,6 @@ import Data.Text.Lazy ( Text , fromStrict ) import qualified Network.HTTP.Types.Status as Http -import qualified Network.Socket as Socket import qualified Network.Wai as Wai import qualified Network.Wai.Handler.Warp as Warp import Network.Wai.Middleware.RequestLogger @@ -67,14 +66,6 @@ data Error = ErrorParsingOptions instance Exception.Exception Error --- | Only allow my IP or local to access some route. -guardIP :: Wai.Request -> Scotty.ActionT Text App () -guardIP r = case Wai.remoteHost r of - Socket.SockAddrInet _ ip | ip `elem` allowed -> Scotty.status Http.ok200 - _ -> Scotty.status Http.methodNotAllowed405 - where - allowed = Socket.tupleToHostAddress </ [(73, 222, 221, 62), (127, 0, 0, 1)] - routes :: Scotty.ScottyT Text App () routes = do Scotty.middleware logStdout @@ -111,10 +102,17 @@ routes = do -- -- Put a value on a que. Returns immediately. Scotty.post (Scotty.regex quepath) <| do - r <- Scotty.request + xFwdHost <- Scotty.header "X-Forwarded-Host" + xRealIP <- Scotty.header "X-Real-IP" + host <- Scotty.header "Host" (ns, qp) <- extract - -- "_" is a special, internal namespace that only I can use - when ("_" == ns) <| guardIP r + -- Only allow my IP or localhost to access '_' namespace + when ("_" == ns) <| case (xFwdHost, xRealIP, host) of + (Just "73.222.221.62", _, _) -> Scotty.status Http.ok200 + (_, Just "73.222.221.62", _) -> Scotty.status Http.ok200 + (Just "::1", Just "::1", Just "localhost") -> Scotty.status Http.ok200 + _ -> Scotty.status Http.methodNotAllowed405 + >> Scotty.text "error 405 not allowed: _ is a reserved namespace" app . modify <| upsertNamespace ns q <- app <| que ns qp qdata <- Scotty.body diff --git a/Run/Que/service.nix b/Run/Que/service.nix index 1d82bd6..aa68657 100644 --- a/Run/Que/service.nix +++ b/Run/Que/service.nix @@ -61,7 +61,8 @@ in locations."/" = { proxyPass = "http://localhost:${toString cfg.port}"; extraConfig = '' - # forward the headers so the `guardIP` function works properly + proxy_set_header X-Real-IP $realip_remote_addr; + proxy_set_header X-Forwarded-Host $remote_addr; proxy_pass_request_headers on; ''; }; |