mirror of
https://github.com/willnorris/imageproxy.git
synced 2025-01-06 22:40:34 -05:00
Add denyHosts flag to deny URLs for certain hosts
For example, when running in a Docker swarm cluster we dont want it to have access to our internal services available under *.weave.local Closes #85
This commit is contained in:
parent
127a621c8a
commit
7264d177a1
3 changed files with 29 additions and 8 deletions
25
README.md
25
README.md
|
@ -183,19 +183,28 @@ Reload the [codercat URL][], and you should now get an error message. You can
|
||||||
specify multiple hosts as a comma separated list, or prefix a host value with
|
specify multiple hosts as a comma separated list, or prefix a host value with
|
||||||
`*.` to allow all sub-domains as well.
|
`*.` to allow all sub-domains as well.
|
||||||
|
|
||||||
### Allowed Hosts List ###
|
### Allowed and Denied Hosts List ###
|
||||||
|
|
||||||
You can limit the remote hosts that the proxy will fetch images from using the
|
You can limit the remote hosts that the proxy will fetch images from using the
|
||||||
`allowHosts` flag. This is useful, for example, for locking the proxy down to
|
`allowHosts` and `denyHosts` flags. This is useful, for example, for locking
|
||||||
your own hosts to prevent others from abusing it. Of course if you want to
|
the proxy down to your own hosts to prevent others from abusing it. Of course
|
||||||
support fetching from any host, leave off the allowHosts flag. Try it out by
|
if you want to support fetching from any host, leave off these flags.
|
||||||
running:
|
|
||||||
|
Try it out by running:
|
||||||
|
|
||||||
imageproxy -allowHosts example.com
|
imageproxy -allowHosts example.com
|
||||||
|
|
||||||
Reload the [codercat URL][], and you should now get an error message. You can
|
Reload the [codercat URL][], and you should now get an error message.
|
||||||
specify multiple hosts as a comma separated list, or prefix a host value with
|
Alternately, try running:
|
||||||
`*.` to allow all sub-domains as well.
|
|
||||||
|
imageproxy -denyHosts octodex.github.com
|
||||||
|
|
||||||
|
Reloading the [codercat URL][] will still return an error message.
|
||||||
|
|
||||||
|
You can specify multiple hosts as a comma separated list to either flag, or
|
||||||
|
prefix a host value with `*.` to allow or deny all sub-domains as well.
|
||||||
|
|
||||||
|
If a host matches both an allowed an a denied host, the request will be denied.
|
||||||
|
|
||||||
### Allowed Content-Type List ###
|
### Allowed Content-Type List ###
|
||||||
|
|
||||||
|
|
|
@ -44,6 +44,7 @@ const defaultMemorySize = 100
|
||||||
var addr = flag.String("addr", "localhost:8080", "TCP address to listen on")
|
var addr = flag.String("addr", "localhost:8080", "TCP address to listen on")
|
||||||
var allowHosts = flag.String("allowHosts", "", "comma separated list of allowed remote hosts")
|
var allowHosts = flag.String("allowHosts", "", "comma separated list of allowed remote hosts")
|
||||||
var whitelist = flag.String("whitelist", "", "deprecated. use 'allowHosts' instead")
|
var whitelist = flag.String("whitelist", "", "deprecated. use 'allowHosts' instead")
|
||||||
|
var denyHosts = flag.String("denyHosts", "", "comma separated list of denied remote hosts")
|
||||||
var referrers = flag.String("referrers", "", "comma separated list of allowed referring hosts")
|
var referrers = flag.String("referrers", "", "comma separated list of allowed referring hosts")
|
||||||
var baseURL = flag.String("baseURL", "", "default base URL for relative remote URLs")
|
var baseURL = flag.String("baseURL", "", "default base URL for relative remote URLs")
|
||||||
var cache tieredCache
|
var cache tieredCache
|
||||||
|
@ -70,6 +71,9 @@ func main() {
|
||||||
if *allowHosts != "" {
|
if *allowHosts != "" {
|
||||||
p.AllowHosts = strings.Split(*allowHosts, ",")
|
p.AllowHosts = strings.Split(*allowHosts, ",")
|
||||||
}
|
}
|
||||||
|
if *denyHosts != "" {
|
||||||
|
p.DenyHosts = strings.Split(*denyHosts, ",")
|
||||||
|
}
|
||||||
if *referrers != "" {
|
if *referrers != "" {
|
||||||
p.Referrers = strings.Split(*referrers, ",")
|
p.Referrers = strings.Split(*referrers, ",")
|
||||||
}
|
}
|
||||||
|
|
|
@ -49,6 +49,10 @@ type Proxy struct {
|
||||||
// Whitelist should no longer be used. Use "AllowHosts" instead.
|
// Whitelist should no longer be used. Use "AllowHosts" instead.
|
||||||
Whitelist []string
|
Whitelist []string
|
||||||
|
|
||||||
|
// DenyHosts specifies a list of remote hosts that images cannot be
|
||||||
|
// proxied from.
|
||||||
|
DenyHosts []string
|
||||||
|
|
||||||
// Referrers, when given, requires that requests to the image
|
// Referrers, when given, requires that requests to the image
|
||||||
// proxy come from a referring host. An empty list means all
|
// proxy come from a referring host. An empty list means all
|
||||||
// hosts are allowed.
|
// hosts are allowed.
|
||||||
|
@ -225,6 +229,10 @@ func (p *Proxy) allowed(r *Request) error {
|
||||||
return fmt.Errorf("request does not contain an allowed referrer: %v", r)
|
return fmt.Errorf("request does not contain an allowed referrer: %v", r)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if validHost(p.DenyHosts, r.URL) {
|
||||||
|
return fmt.Errorf("request contains a denied host %v", r)
|
||||||
|
}
|
||||||
|
|
||||||
if len(p.AllowHosts) == 0 && len(p.SignatureKey) == 0 {
|
if len(p.AllowHosts) == 0 && len(p.SignatureKey) == 0 {
|
||||||
return nil // no allowed hosts or signature key, all requests accepted
|
return nil // no allowed hosts or signature key, all requests accepted
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue