kirby/http-broadcaster
1
0
Fork 0
Code Pull Requests Packages Projects Releases Activity

Migration to kubernetes + vault-agent

Browse Source
This commit is contained in:
kirby
2025-01-13 17:00:23 +01:00
parent 4219a7d001
commit 60ab4ff110
13 changed files with 197 additions and 90 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
app/Http/utils.go
View File

@@ -8,8 +8,8 @@ import (
"io"
"log"
"net/http"
"net/netip"
"strconv"
"strings"
"time"
)
@@ -19,7 +19,7 @@ func logRequest(t time.Time, r *http.Request, s int, h map[string]string) {
if len(h) == 0 {
log.Printf("%s %s - - %s \"%s %s %s\" %d 0 \"-\" \"%s\" %d\n",
r.Host,
r.Header["X-Real-Ip"][0],
r.Header["X-Forwarded-For"][0],
t.Format("[02/Jan/2006:15:04:05 -0700]"),
r.Method,
r.URL.Path,
@@ -37,7 +37,7 @@ func logRequest(t time.Time, r *http.Request, s int, h map[string]string) {
}
log.Printf("%s %s - - %s \"%s %s %s\" %d 0 \"-\" \"%s\" %d %s\n",
r.Host,
r.Header["X-Real-Ip"][0],
r.Header["X-Forwarded-For"][0],
t.Format("[02/Jan/2006:15:04:05 -0700]"),
r.Method,
r.URL.Path,
@@ -51,21 +51,30 @@ func logRequest(t time.Time, r *http.Request, s int, h map[string]string) {
}
// checkAllowedIP verify if the IPs is authorized to do BAN/PURGE request.
func checkAllowedIP(ip netip.Addr) bool {
func checkAllowedIP(ip string) bool {
return tools.IPAllowed(ip)
}
// RequestHandler handles requests to broadcast to all varnish instances.
func RequestHandler(w http.ResponseWriter, r *http.Request) {
var tag = make(map[string]string)
// check x-real-ip instead of RemoteAddr header because kube
ip, err := netip.ParseAddr(r.Header["X-Real-Ip"][0])
if err != nil {
panic(err)
ipAddress := r.RemoteAddr
// check x-forwarded-for instead of RemoteAddr header because kube
//ip, err := netip.ParseAddr(r.Header["X-Forwarded-For"][0])
fwdAddress := r.Header.Get("X-Forwarded-For")
if fwdAddress != "" {
// Case there is a single IP in the header
ipAddress = fwdAddress
ips := strings.Split(fwdAddress, ",")
if len(ips) > 1 {
ipAddress = ips[0]
}
}
// If IP is not authorized to do purge/ban requests, respond with 401.
if !checkAllowedIP(ip) {
log.Printf("Client ip not authorized : %v", ip)
if !checkAllowedIP(ipAddress) {
log.Printf("Client ip not authorized : %v", ipAddress)
w.WriteHeader(401)
_, _ = io.WriteString(w, strconv.Itoa(401))
return