This repository has been archived by the owner on May 12, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathapi.go
116 lines (111 loc) · 3 KB
/
api.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
package srp
import (
"encoding/json"
"errors"
"fmt"
"log"
"net"
"net/http"
"strconv"
"strings"
)
// RedirectHTTPHandler redirects http requests to use the API if the request
// originated from the whitelisted subnet. In all other GET and HEAD requests,
// this handler redirects to HTTPS. For POST, PUT, etc. this handler throws an
// error letting the client know to use HTTPS.
func (rp *ReverseProxy) RedirectHTTPHandler() (http.Handler, error) {
fn := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
switch r.Method {
case "GET", "HEAD": // Do nothing
default:
http.Error(w, "Use HTTPS", http.StatusBadRequest)
return
}
target := "https://" + stripPort(r.Host) + r.URL.RequestURI()
http.Redirect(w, r, target, http.StatusFound)
})
if rp.reg.API.Subnet == "" {
return fn, nil
}
if localIP := getLocalIP(); localIP == "" {
return fn, nil
}
maskedIP, mask, err := maskIP(rp.reg.API.Subnet)
if err != nil {
return nil, fmt.Errorf("mask: %w", err)
}
fn = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
switch r.Method {
case "GET", "HEAD": // Do nothing
default:
http.Error(w, "Use HTTPS", http.StatusBadRequest)
return
}
host, _, err := net.SplitHostPort(r.RemoteAddr)
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
if maskedIP == net.ParseIP(host).Mask(mask).String() {
if strings.TrimPrefix(r.URL.Path, "/") == "services" {
data := map[string][]string{}
reg := rp.cloneRegistry()
for host, srv := range reg.Services {
data[host] = srv.liveBackends
}
err := json.NewEncoder(w).Encode(data)
if err != nil {
log.Printf("failed to encode registry: %s", err)
}
return
}
}
target := "https://" + stripPort(r.Host) + r.URL.RequestURI()
http.Redirect(w, r, target, http.StatusFound)
})
return fn, nil
}
func stripPort(hostport string) string {
host, _, err := net.SplitHostPort(hostport)
if err != nil {
return hostport
}
return net.JoinHostPort(host, "443")
}
// getLocalIP returns the non-loopback local IP of the host.
//
// This is taken from https://stackoverflow.com/a/31551220
func getLocalIP() string {
addrs, err := net.InterfaceAddrs()
if err != nil {
return ""
}
for _, address := range addrs {
// check the address type and if it is not a loopback the
// display it
ipnet, ok := address.(*net.IPNet)
if ok && !ipnet.IP.IsLoopback() {
if ipnet.IP.To4() != nil {
return ipnet.IP.String()
}
}
}
return ""
}
func maskIP(subnet string) (string, net.IPMask, error) {
parts := strings.SplitN(subnet, "/", 2)
if len(parts) != 2 {
return "", nil, errors.New("bad subnet: expected ip/mask in the form of 10.1.2.0/24")
}
maskBits, err := strconv.Atoi(parts[1])
if err != nil {
return "", nil, fmt.Errorf("bad mask: %w", err)
}
mask := net.CIDRMask(maskBits, 32)
ip := net.ParseIP(parts[0])
maskedIP := ip.Mask(mask).String()
if maskedIP == "<nil>" {
return "", nil, fmt.Errorf("bad masked ip: %s", parts[0])
}
return maskedIP, mask, nil
}