afan
/
gitea
Obserwuj 1
Gwiazdka 0
Forkuj 0
Kod Problemy 0 Pull Requests 0 Wydania 0 Wiki Aktywność
gitea源码
3 Commity
2 Gałęzie
Drzewo: 6d2efddf43
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z '6d2efddf43'
${ noResults }
gitea/modules/hostmatcher/http.go

http.go 2.4KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566 
  1. // Copyright 2021 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package hostmatcher

  5. 

  6. import (

  7. 	"context"

  8. 	"fmt"

  9. 	"net"

  10. 	"net/url"

  11. 	"syscall"

  12. 	"time"

  13. )

  14. 

  15. // NewDialContext returns a DialContext for Transport, the DialContext will do allow/block list check

  16. func NewDialContext(usage string, allowList, blockList *HostMatchList, proxy *url.URL) func(ctx context.Context, network, addr string) (net.Conn, error) {

  17. 	// How Go HTTP Client works with redirection:

  18. 	//   transport.RoundTrip URL=http://domain.com, Host=domain.com

  19. 	//   transport.DialContext addrOrHost=domain.com:80

  20. 	//   dialer.Control tcp4:11.22.33.44:80

  21. 	//   transport.RoundTrip URL=http://www.domain.com/, Host=(empty here, in the direction, HTTP client doesn't fill the Host field)

  22. 	//   transport.DialContext addrOrHost=domain.com:80

  23. 	//   dialer.Control tcp4:11.22.33.44:80

  24. 	return func(ctx context.Context, network, addrOrHost string) (net.Conn, error) {

  25. 		dialer := net.Dialer{

  26. 			// default values comes from http.DefaultTransport

  27. 			Timeout:   30 * time.Second,

  28. 			KeepAlive: 30 * time.Second,

  29. 

  30. 			Control: func(network, ipAddr string, c syscall.RawConn) error {

  31. 				host, port, err := net.SplitHostPort(addrOrHost)

  32. 				if err != nil {

  33. 					return err

  34. 				}

  35. 				if proxy != nil {

  36. 					// Always allow the host of the proxy, but only on the specified port.

  37. 					if host == proxy.Hostname() && port == proxy.Port() {

  38. 						return nil

  39. 					}

  40. 				}

  41. 

  42. 				// in Control func, the addr was already resolved to IP:PORT format, there is no cost to do ResolveTCPAddr here

  43. 				tcpAddr, err := net.ResolveTCPAddr(network, ipAddr)

  44. 				if err != nil {

  45. 					return fmt.Errorf("%s can only call HTTP servers via TCP, deny '%s(%s:%s)', err=%w", usage, host, network, ipAddr, err)

  46. 				}

  47. 

  48. 				var blockedError error

  49. 				if blockList.MatchHostOrIP(host, tcpAddr.IP) {

  50. 					blockedError = fmt.Errorf("%s can not call blocked HTTP servers (check your %s setting), deny '%s(%s)'", usage, blockList.SettingKeyHint, host, ipAddr)

  51. 				}

  52. 

  53. 				// if we have an allow-list, check the allow-list first

  54. 				if !allowList.IsEmpty() {

  55. 					if !allowList.MatchHostOrIP(host, tcpAddr.IP) {

  56. 						return fmt.Errorf("%s can only call allowed HTTP servers (check your %s setting), deny '%s(%s)'", usage, allowList.SettingKeyHint, host, ipAddr)

  57. 					}

  58. 				}

  59. 				// otherwise, we always follow the blocked list

  60. 				return blockedError

  61. 			},

  62. 		}

  63. 		return dialer.DialContext(ctx, network, addrOrHost)

  64. 	}

  65. }