mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16872 Commits
17 Branches
Tree: v1.21.10
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'v1.21.10'
${ noResults }
gitea/modules/hostmatcher/http.go

http.go 2.6KB
Raw Permalink Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869 
  1. // Copyright 2021 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package hostmatcher

  5. 

  6. import (

  7. 	"context"

  8. 	"fmt"

  9. 	"net"

  10. 	"net/url"

  11. 	"syscall"

  12. 	"time"

  13. )

  14. 

  15. // NewDialContext returns a DialContext for Transport, the DialContext will do allow/block list check

  16. func NewDialContext(usage string, allowList, blockList *HostMatchList) func(ctx context.Context, network, addr string) (net.Conn, error) {

  17. 	return NewDialContextWithProxy(usage, allowList, blockList, nil)

  18. }

  19. 

  20. func NewDialContextWithProxy(usage string, allowList, blockList *HostMatchList, proxy *url.URL) func(ctx context.Context, network, addr string) (net.Conn, error) {

  21. 	// How Go HTTP Client works with redirection:

  22. 	//   transport.RoundTrip URL=http://domain.com, Host=domain.com

  23. 	//   transport.DialContext addrOrHost=domain.com:80

  24. 	//   dialer.Control tcp4:11.22.33.44:80

  25. 	//   transport.RoundTrip URL=http://www.domain.com/, Host=(empty here, in the direction, HTTP client doesn't fill the Host field)

  26. 	//   transport.DialContext addrOrHost=domain.com:80

  27. 	//   dialer.Control tcp4:11.22.33.44:80

  28. 	return func(ctx context.Context, network, addrOrHost string) (net.Conn, error) {

  29. 		dialer := net.Dialer{

  30. 			// default values comes from http.DefaultTransport

  31. 			Timeout:   30 * time.Second,

  32. 			KeepAlive: 30 * time.Second,

  33. 

  34. 			Control: func(network, ipAddr string, c syscall.RawConn) error {

  35. 				host, port, err := net.SplitHostPort(addrOrHost)

  36. 				if err != nil {

  37. 					return err

  38. 				}

  39. 				if proxy != nil {

  40. 					// Always allow the host of the proxy, but only on the specified port.

  41. 					if host == proxy.Hostname() && port == proxy.Port() {

  42. 						return nil

  43. 					}

  44. 				}

  45. 

  46. 				// in Control func, the addr was already resolved to IP:PORT format, there is no cost to do ResolveTCPAddr here

  47. 				tcpAddr, err := net.ResolveTCPAddr(network, ipAddr)

  48. 				if err != nil {

  49. 					return fmt.Errorf("%s can only call HTTP servers via TCP, deny '%s(%s:%s)', err=%w", usage, host, network, ipAddr, err)

  50. 				}

  51. 

  52. 				var blockedError error

  53. 				if blockList.MatchHostOrIP(host, tcpAddr.IP) {

  54. 					blockedError = fmt.Errorf("%s can not call blocked HTTP servers (check your %s setting), deny '%s(%s)'", usage, blockList.SettingKeyHint, host, ipAddr)

  55. 				}

  56. 

  57. 				// if we have an allow-list, check the allow-list first

  58. 				if !allowList.IsEmpty() {

  59. 					if !allowList.MatchHostOrIP(host, tcpAddr.IP) {

  60. 						return fmt.Errorf("%s can only call allowed HTTP servers (check your %s setting), deny '%s(%s)'", usage, allowList.SettingKeyHint, host, ipAddr)

  61. 					}

  62. 				}

  63. 				// otherwise, we always follow the blocked list

  64. 				return blockedError

  65. 			},

  66. 		}

  67. 		return dialer.DialContext(ctx, network, addrOrHost)

  68. 	}

  69. }