Merge branch 'main' into Xe/deblobXe/deblob

Signed-off-by: Xe Iaso <me@xeiaso.net>

8 files changed, 60 insertions, 28 deletions

diff --git a/.gitignore b/.gitignore
index a1d56de..5194493 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 .env
+*.deb
 *.rpm
 
 # Go binaries and test artifacts
diff --git a/cmd/anubis/main.go b/cmd/anubis/main.go
index 7f98e7b..b634676 100644
--- a/cmd/anubis/main.go
+++ b/cmd/anubis/main.go
@@ -45,7 +45,7 @@ var (
 	slogLevel            = flag.String("slog-level", "INFO", "logging level (see https://pkg.go.dev/log/slog#hdr-Levels)")
 	target               = flag.String("target", "http://localhost:3923", "target to reverse proxy to")
 	healthcheck          = flag.Bool("healthcheck", false, "run a health check against Anubis")
-	debugXRealIPDefault  = flag.String("debug-x-real-ip-default", "", "If set, replace empty X-Real-Ip headers with this value, useful only for debugging Anubis and running it locally")
+	useRemoteAddress     = flag.Bool("use-remote-address", false, "read the client's IP address from the network request, useful for debugging and running Anubis on bare metal")
 )
 
 func keyFromHex(value string) (ed25519.PrivateKey, error) {
@@ -214,7 +214,7 @@ func main() {
 
 	var h http.Handler
 	h = s
-	h = internal.DefaultXRealIP(*debugXRealIPDefault, h)
+	h = internal.RemoteXRealIP(*useRemoteAddress, *bindNetwork, h)
 	h = internal.XForwardedForToXRealIP(h)
 
 	srv := http.Server{Handler: h}
@@ -226,7 +226,7 @@ func main() {
 		"serveRobotsTXT", *robotsTxt,
 		"target", *target,
 		"version", anubis.Version,
-		"debug-x-real-ip-default", *debugXRealIPDefault,
+		"use-remote-address", *useRemoteAddress,
 	)
 
 	go func() {
diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md
index 384bba7..a16b703 100644
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -11,6 +11,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+- Hide the directory listings for Anubis' internal static content
+- Changed `--debug-x-real-ip-default` to `--use-remote-address`, getting the IP address from the request's socket address instead.
 - DroneBL lookups have been disabled by default
 - Static asset builds are now done on demand instead of the results being committed to source control
 - The Dockerfile has been removed as it is no longer in use
diff --git a/docs/docs/admin/installation.mdx b/docs/docs/admin/installation.mdx
index 5352683..ee17a89 100644
--- a/docs/docs/admin/installation.mdx
+++ b/docs/docs/admin/installation.mdx
@@ -55,6 +55,7 @@ Anubis uses these environment variables for configuration:
 | `POLICY_FNAME`            | unset                   | The file containing [bot policy configuration](./policies.md). See the bot policy documentation for more details. If unset, the default bot policy configuration is used.                                                                                                                |
 | `SERVE_ROBOTS_TXT`        | `false`                 | If set `true`, Anubis will serve a default `robots.txt` file that disallows all known AI scrapers by name and then additionally disallows every scraper. This is useful if facts and circumstances make it difficult to change the underlying service to serve such a `robots.txt` file. |
 | `TARGET`                  | `http://localhost:3923` | The URL of the service that Anubis should forward valid requests to. Supports Unix domain sockets, set this to a URI like so: `unix:///path/to/socket.sock`.                                                                                                                             |
+| `USE_REMOTE_ADDRESS`      | unset                   | If set to `true`, Anubis will take the client's IP from the network socket. For production deployments, it is expected that a reverse proxy is used in front of Anubis, which pass the IP using headers, instead.                                                                        |
 
 ### Key generation
 
diff --git a/internal/headers.go b/internal/headers.go
index 681d076..d73fa33 100644
--- a/internal/headers.go
+++ b/internal/headers.go
@@ -2,7 +2,9 @@ package internal
 
 import (
 	"log/slog"
+	"net"
 	"net/http"
+	"strings"
 
 	"github.com/TecharoHQ/anubis"
 	"github.com/sebest/xff"
@@ -21,16 +23,29 @@ func UnchangingCache(next http.Handler) http.Handler {
 	})
 }
 
-// DefaultXRealIP sets the X-Real-Ip header to the given value if and only if
-// it is not an empty string.
-func DefaultXRealIP(defaultIP string, next http.Handler) http.Handler {
-	if defaultIP == "" {
-		slog.Debug("skipping middleware, defaultIP is empty")
+// RemoteXRealIP sets the X-Real-Ip header to the request's real IP if
+// the setting is enabled by the user.
+func RemoteXRealIP(useRemoteAddress bool, bindNetwork string, next http.Handler) http.Handler {
+	if useRemoteAddress == false {
+		slog.Debug("skipping middleware, useRemoteAddress is empty")
 		return next
 	}
 
+	if bindNetwork == "unix" {
+		// For local sockets there is no real remote address but the localhost
+		// address should be sensible.
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			r.Header.Set("X-Real-Ip", "127.0.0.1")
+			next.ServeHTTP(w, r)
+		})
+	}
+
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		r.Header.Set("X-Real-Ip", defaultIP)
+		host, _, err := net.SplitHostPort(r.RemoteAddr)
+		if err != nil {
+			panic(err) // this should never happen
+		}
+		r.Header.Set("X-Real-Ip", host)
 		next.ServeHTTP(w, r)
 	})
 }
@@ -48,3 +63,14 @@ func XForwardedForToXRealIP(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 	})
 }
+
+// Do not allow browsing directory listings in paths that end with /
+func NoBrowsing(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if strings.HasSuffix(r.URL.Path, "/") {
+			http.NotFound(w, r)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
diff --git a/lib/anubis.go b/lib/anubis.go
index 83e04dd..8d5dac1 100644
--- a/lib/anubis.go
+++ b/lib/anubis.go
@@ -119,7 +119,7 @@ func New(opts Options) (*Server, error) {
 	mux := http.NewServeMux()
 	xess.Mount(mux)
 
-	mux.Handle(anubis.StaticPath, internal.UnchangingCache(http.StripPrefix(anubis.StaticPath, http.FileServerFS(web.Static))))
+	mux.Handle(anubis.StaticPath, internal.UnchangingCache(internal.NoBrowsing(http.StripPrefix(anubis.StaticPath, http.FileServerFS(web.Static)))))
 
 	if opts.ServeRobotsTXT {
 		mux.HandleFunc("/robots.txt", func(w http.ResponseWriter, r *http.Request) {
diff --git a/lib/anubis_test.go b/lib/anubis_test.go
index 90d2cdf..58c8834 100644
--- a/lib/anubis_test.go
+++ b/lib/anubis_test.go
@@ -47,7 +47,7 @@ func TestCookieSettings(t *testing.T) {
 		CookieName:        t.Name(),
 	})
 
-	ts := httptest.NewServer(internal.DefaultXRealIP("127.0.0.1", srv))
+	ts := httptest.NewServer(internal.RemoteXRealIP(true, "tcp", srv))
 	defer ts.Close()
 
 	cli := &http.Client{
diff --git a/yeetfile.js b/yeetfile.js
index b86c4f8..829754c 100644
--- a/yeetfile.js
+++ b/yeetfile.js
@@ -1,22 +1,24 @@
 go.install();
 
-["amd64", "arm64"].forEach(goarch => rpm.build({
-    name: "anubis",
-    description: "Anubis weighs the souls of incoming HTTP requests and uses a proof-of-work challenge in order to protect upstream resources from scraper bots.",
-    homepage: "https://anubis.techaro.lol",
-    license: "MIT",
-    goarch,
+["amd64", "arm64"].forEach(goarch => {
+    [deb, rpm].forEach(method => method.build({
+        name: "anubis",
+        description: "Anubis weighs the souls of incoming HTTP requests and uses a sha256 proof-of-work challenge in order to protect upstream resources from scraper bots.",
+        homepage: "https://anubis.techaro.lol",
+        license: "MIT",
+        goarch,
 
-    build: (out) => {
-        // install Anubis binary
-        go.build("-o", `${out}/usr/bin/anubis`);
+        build: (out) => {
+            // install Anubis binary
+            go.build("-o", `${out}/usr/bin/anubis`, "./cmd/anubis");
 
-        // install systemd unit
-        yeet.run("mkdir", "-p", `${out}/usr/lib/systemd/system`);
-        yeet.run("cp", "run/anubis@.service", `${out}/usr/lib/systemd/system/anubis@.service`);
+            // install systemd unit
+            yeet.run("mkdir", "-p", `${out}/usr/lib/systemd/system`);
+            yeet.run("cp", "run/anubis@.service", `${out}/usr/lib/systemd/system/anubis@.service`);
 
-        // install default config
-        yeet.run("mkdir", "-p", `${out}/etc/anubis`);
-        yeet.run("cp", "run/anubis.env.default", `${out}/etc/anubis/anubis-default.env`);
-    },
-}));
\ No newline at end of file
+            // install default config
+            yeet.run("mkdir", "-p", `${out}/etc/anubis`);
+            yeet.run("cp", "run/anubis.env.default", `${out}/etc/anubis/anubis-default.env`);
+        },
+    }));
+});
\ No newline at end of file