1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
package internal
import (
"log/slog"
"net"
"net/http"
"strings"
"github.com/TecharoHQ/anubis"
"github.com/sebest/xff"
)
// UnchangingCache sets the Cache-Control header to cache a response for 1 year if
// and only if the application is compiled in "release" mode by Docker.
func UnchangingCache(next http.Handler) http.Handler {
//goland:noinspection GoBoolExpressions
if anubis.Version == "devel" {
return next
}
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Cache-Control", "public, max-age=31536000")
next.ServeHTTP(w, r)
})
}
// RemoteXRealIP sets the X-Real-Ip header to the request's real IP if
// the setting is enabled by the user.
func RemoteXRealIP(useRemoteAddress bool, bindNetwork string, next http.Handler) http.Handler {
if !useRemoteAddress {
slog.Debug("skipping middleware, useRemoteAddress is empty")
return next
}
if bindNetwork == "unix" {
// For local sockets there is no real remote address but the localhost
// address should be sensible.
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
r.Header.Set("X-Real-Ip", "127.0.0.1")
next.ServeHTTP(w, r)
})
}
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
host, _, err := net.SplitHostPort(r.RemoteAddr)
if err != nil {
panic(err) // this should never happen
}
r.Header.Set("X-Real-Ip", host)
next.ServeHTTP(w, r)
})
}
// XForwardedForToXRealIP sets the X-Real-Ip header based on the contents
// of the X-Forwarded-For header.
func XForwardedForToXRealIP(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if xffHeader := r.Header.Get("X-Forwarded-For"); r.Header.Get("X-Real-Ip") == "" && xffHeader != "" {
ip := xff.Parse(xffHeader)
slog.Debug("setting x-real-ip", "val", ip)
r.Header.Set("X-Real-Ip", ip)
}
next.ServeHTTP(w, r)
})
}
// XForwardedForUpdate sets or updates the X-Forwarded-For header, adding
// the known remote address to an existing chain if present
func XForwardedForUpdate(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
defer next.ServeHTTP(w, r)
remoteIP, _, err := net.SplitHostPort(r.RemoteAddr)
if parsedRemoteIP := net.ParseIP(remoteIP); parsedRemoteIP != nil && parsedRemoteIP.IsLoopback() {
// anubis is likely deployed behind a local reverse proxy
// pass header as-is to not break existing applications
return
}
if err != nil {
slog.Warn("The default format of request.RemoteAddr should be IP:Port", "remoteAddr", r.RemoteAddr)
return
}
if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
forwardedList := strings.Split(",", xff)
forwardedList = append(forwardedList, remoteIP)
// this behavior is equivalent to
// ingress-nginx "compute-full-forwarded-for"
// https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#compute-full-forwarded-for
//
// this would be the correct place to strip and/or flatten this list
//
// strip - iterate backwards and eliminate configured trusted IPs
// flatten - only return the last element to avoid spoofing confusion
//
// many applications handle this in different ways, but
// generally they'd be expected to do these two things on
// their own end to find the first non-spoofed IP
r.Header.Set("X-Forwarded-For", strings.Join(forwardedList, ","))
} else {
r.Header.Set("X-Forwarded-For", remoteIP)
}
})
}
// NoStoreCache sets the Cache-Control header to no-store for the response.
func NoStoreCache(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Cache-Control", "no-store")
next.ServeHTTP(w, r)
})
}
// NoBrowsing prevents directory browsing by returning a 404 for any request that ends with a "/".
func NoBrowsing(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if strings.HasSuffix(r.URL.Path, "/") {
http.NotFound(w, r)
return
}
next.ServeHTTP(w, r)
})
}
|
