0
Fork 0
mirror of https://github.com/willnorris/imageproxy.git synced 2025-01-06 22:40:34 -05:00

Add denyHosts flag to deny URLs for certain hosts

For example, when running in a Docker swarm cluster we dont want it to
have access to our internal services available under *.weave.local

Closes 
This commit is contained in:
yvind Ngai Johnsen 2017-03-23 10:42:39 +01:00 committed by Will Norris
parent 127a621c8a
commit 7264d177a1
3 changed files with 29 additions and 8 deletions

View file

@ -183,19 +183,28 @@ Reload the [codercat URL][], and you should now get an error message. You can
specify multiple hosts as a comma separated list, or prefix a host value with specify multiple hosts as a comma separated list, or prefix a host value with
`*.` to allow all sub-domains as well. `*.` to allow all sub-domains as well.
### Allowed Hosts List ### ### Allowed and Denied Hosts List ###
You can limit the remote hosts that the proxy will fetch images from using the You can limit the remote hosts that the proxy will fetch images from using the
`allowHosts` flag. This is useful, for example, for locking the proxy down to `allowHosts` and `denyHosts` flags. This is useful, for example, for locking
your own hosts to prevent others from abusing it. Of course if you want to the proxy down to your own hosts to prevent others from abusing it. Of course
support fetching from any host, leave off the allowHosts flag. Try it out by if you want to support fetching from any host, leave off these flags.
running:
Try it out by running:
imageproxy -allowHosts example.com imageproxy -allowHosts example.com
Reload the [codercat URL][], and you should now get an error message. You can Reload the [codercat URL][], and you should now get an error message.
specify multiple hosts as a comma separated list, or prefix a host value with Alternately, try running:
`*.` to allow all sub-domains as well.
imageproxy -denyHosts octodex.github.com
Reloading the [codercat URL][] will still return an error message.
You can specify multiple hosts as a comma separated list to either flag, or
prefix a host value with `*.` to allow or deny all sub-domains as well.
If a host matches both an allowed an a denied host, the request will be denied.
### Allowed Content-Type List ### ### Allowed Content-Type List ###

View file

@ -44,6 +44,7 @@ const defaultMemorySize = 100
var addr = flag.String("addr", "localhost:8080", "TCP address to listen on") var addr = flag.String("addr", "localhost:8080", "TCP address to listen on")
var allowHosts = flag.String("allowHosts", "", "comma separated list of allowed remote hosts") var allowHosts = flag.String("allowHosts", "", "comma separated list of allowed remote hosts")
var whitelist = flag.String("whitelist", "", "deprecated. use 'allowHosts' instead") var whitelist = flag.String("whitelist", "", "deprecated. use 'allowHosts' instead")
var denyHosts = flag.String("denyHosts", "", "comma separated list of denied remote hosts")
var referrers = flag.String("referrers", "", "comma separated list of allowed referring hosts") var referrers = flag.String("referrers", "", "comma separated list of allowed referring hosts")
var baseURL = flag.String("baseURL", "", "default base URL for relative remote URLs") var baseURL = flag.String("baseURL", "", "default base URL for relative remote URLs")
var cache tieredCache var cache tieredCache
@ -70,6 +71,9 @@ func main() {
if *allowHosts != "" { if *allowHosts != "" {
p.AllowHosts = strings.Split(*allowHosts, ",") p.AllowHosts = strings.Split(*allowHosts, ",")
} }
if *denyHosts != "" {
p.DenyHosts = strings.Split(*denyHosts, ",")
}
if *referrers != "" { if *referrers != "" {
p.Referrers = strings.Split(*referrers, ",") p.Referrers = strings.Split(*referrers, ",")
} }

View file

@ -49,6 +49,10 @@ type Proxy struct {
// Whitelist should no longer be used. Use "AllowHosts" instead. // Whitelist should no longer be used. Use "AllowHosts" instead.
Whitelist []string Whitelist []string
// DenyHosts specifies a list of remote hosts that images cannot be
// proxied from.
DenyHosts []string
// Referrers, when given, requires that requests to the image // Referrers, when given, requires that requests to the image
// proxy come from a referring host. An empty list means all // proxy come from a referring host. An empty list means all
// hosts are allowed. // hosts are allowed.
@ -225,6 +229,10 @@ func (p *Proxy) allowed(r *Request) error {
return fmt.Errorf("request does not contain an allowed referrer: %v", r) return fmt.Errorf("request does not contain an allowed referrer: %v", r)
} }
if validHost(p.DenyHosts, r.URL) {
return fmt.Errorf("request contains a denied host %v", r)
}
if len(p.AllowHosts) == 0 && len(p.SignatureKey) == 0 { if len(p.AllowHosts) == 0 && len(p.SignatureKey) == 0 {
return nil // no allowed hosts or signature key, all requests accepted return nil // no allowed hosts or signature key, all requests accepted
} }