pixl-server-web 2.0.3 → 2.0.5

package/README.md

@@ -35,6 +35,7 @@ This module is a component for use in [pixl-server](https://www.github.com/jhuck
 	* [http_brotli_opts](#http_brotli_opts)
 	* [http_default_acl](#http_default_acl)
 	* [http_blacklist](#http_blacklist)
+	* [http_allow_hosts](#http_allow_hosts)
 	* [http_rewrites](#http_rewrites)
 	* [http_redirects](#http_redirects)
 	* [http_log_requests](#http_log_requests)
@@ -68,6 +69,7 @@ This module is a component for use in [pixl-server](https://www.github.com/jhuck
 	* [https_force](#https_force)
 	* [https_header_detect](#https_header_detect)
 	* [https_timeout](#https_timeout)
+	* [https_bind_address](#https_bind_address)
 - [Custom URI Handlers](#custom-uri-handlers)
 	* [Access Control Lists](#access-control-lists)
 	* [Internal File Redirects](#internal-file-redirects)
@@ -441,6 +443,22 @@ This example would reject all incoming IP addresses from Apple and AT&T (who own
 
 When a new incoming connection is established, the socket IP is immediately checked against the blacklist, and if matched, the socket is "hard closed".  This is an early detection and rejection, before the HTTP request even comes in.  In this case a HTTP response isn't sent back (as the socket is simply slammed shut).  However, if you are using a load balancer or proxy, the user's true IP address might not be known until later on in the request cycle, once the HTTP headers are read in.  At that point all the user's IPs are checked against the blacklist again, and if any of them match, a `HTTP 403 Forbidden` response is sent back.
 
+## http_allow_hosts
+
+The `http_allow_hosts` property allows you to specify a limited set of hosts to allow for incoming requests.  Specifically, this matches the incoming HTTP `Host` request header, or SNI (TLS handshake) host for HTTPS, and the value must match at least one entry in the array (case-insensitive).  For example, if you are hosting your application behind a domain name, you may want to restrict incoming requests so that they must explicitly point to your domain name.  Here is how to set this up:
+
+```json
+	"http_allow_hosts": ["mydomain.com"]
+```
+
+In the above example, only requests to `mydomain.com` would be allowed.  All other domains or IP addresses in the URL would be rejected with a `HTTP 403 Forbidden` error (or in the case of SNI / TLS handshake the socket is simply closed).  Include multiple entries in the array for things like subdomains:
+
+```json
+	"http_allow_hosts": ["mydomain.com", "www.mydomain.com"]
+```
+
+If the `http_allow_hosts` array is empty or omitted entirely, all hosts are allowed.  This is the default behavior.
+
 ## http_rewrites
 
 If you need to rewrite certain incoming URLs on-the-fly, you can define rules in the `http_rewrites` object.  The basic format is as follows: keys are regular expressions matched on incoming URI paths, and the values are the substitution strings to use as replacements.  Here is a simple example:

package/lib/https.js

@@ -56,7 +56,7 @@ module.exports = class HTTP2 {
 			
 			if (max_conns && (self.numConns >= max_conns)) {
 				// reached maximum concurrent connections, abort new ones
-				self.logError('maxconns', "Maximum concurrent connections reached, denying request from: " + ip, { ip: ip, port: port, max: max_conns });
+				self.logError('maxconns', "Maximum concurrent connections reached, denying request from: " + ip, { host: socket.servername || '', ip: ip, port: port, max: max_conns });
 				socket.end();
 				socket.unref();
 				socket.destroy(); // hard close
@@ -65,14 +65,23 @@ module.exports = class HTTP2 {
 			}
 			if (self.server.shut) {
 				// server is shutting down, abort new connections
-				self.logError('shutdown', "Server is shutting down, denying connection from: " + ip, { ip: ip, port: port});
+				self.logError('shutdown', "Server is shutting down, denying connection from: " + ip, { host: socket.servername || '', ip: ip, port: port});
 				socket.end();
 				socket.unref();
 				socket.destroy(); // hard close
 				return;
 			}
 			if (ip && self.aclBlacklist.checkAny(ip)) {
-				self.logError('blacklist', "IP is blacklisted, denying connection from: " + ip, { ip: ip, port: port });
+				self.logError('blacklist', "IP is blacklisted, denying connection from: " + ip, { host: socket.servername || '', ip: ip, port: port });
+				socket.end();
+				socket.unref();
+				socket.destroy(); // hard close
+				return;
+			}
+			
+			// SNI: check allow list at socket connect time
+			if (self.httpsAllowHosts.length && !self.httpsAllowHosts.includes( ('' + socket.servername).toLowerCase() )) {
+				self.logError('allowhosts', "SNI host not allowed: " + (socket.servername || 'n/a'), { host: socket.servername || '', ip: ip, port: port });
 				socket.end();
 				socket.unref();
 				socket.destroy(); // hard close
@@ -82,7 +91,7 @@ module.exports = class HTTP2 {
 			var id = self.getNextId('cs');
 			self.conns[ id ] = socket;
 			self.numConns++;
-			self.logDebug(8, "New incoming HTTPS (SSL) connection: " + id, { ip: ip, port: port, num_conns: self.numConns });
+			self.logDebug(8, "New incoming HTTPS (SSL) connection: " + id, { host: socket.servername || '', ip: ip, port: port, num_conns: self.numConns });
 			
 			// Disable the Nagle algorithm.
 			socket.setNoDelay( true );

package/lib/request.js

@@ -71,6 +71,24 @@ module.exports = class Request {
 			return;
 		}
 		
+		// custom host allow list
+		if (this.allowHosts.length && !this.allowHosts.includes( ('' + request.headers['host']).toLowerCase().replace(/\:\d+$/, '') )) {
+			this.logError(403, "Forbidden: Host not allowed: " + (request.headers['host'] || 'n/a'), {
+				id: args.id,
+				host: request.headers['host'] || '',
+				useragent: request.headers['user-agent'] || '',
+				referrer: request.headers['referer'] || '',
+				cookie: request.headers['cookie'] || '',
+				url: this.getSelfURL(request, request.url) || request.url
+			});
+			this.sendHTTPResponse( args, 
+				"403 Forbidden", 
+				{ 'Content-Type': "text/html" }, 
+				"403 Forbidden\n"
+			);
+			return;
+		}
+		
 		// allow special URIs to skip the line
 		if (this.queueSkipMatch && request.url.match(this.queueSkipMatch)) {
 			this.logDebug(8, "Bumping request to front of queue: " + request.url);

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "pixl-server-web",
-	"version": "2.0.3",
+	"version": "2.0.5",
 	"description": "A web server component for the pixl-server framework.",
 	"author": "Joseph Huckaby <jhuckaby@gmail.com>",
 	"homepage": "https://github.com/jhuckaby/pixl-server-web",

package/web_server.js

@@ -47,6 +47,7 @@ module.exports = Class({
 		"http_enable_brotli": false,
 		"http_default_acl": ['127.0.0.1', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16', '::1/128', 'fd00::/8', '169.254.0.0/16', 'fe80::/10'],
 		"http_blacklist": [],
+		"http_allow_hosts": [],
 		"http_log_requests": false,
 		"http_log_request_details": false,
 		"http_log_body_max": 32768,
@@ -243,6 +244,10 @@ class WebServer extends Component {
 				this.redirects.push(redirect);
 			}
 		}
+		
+		// custom host list
+		this.allowHosts = (this.config.get('http_allow_hosts') || []).map( function(host) { return host.toLowerCase(); } );
+		this.httpsAllowHosts = (this.config.get('https_allow_hosts') || this.config.get('http_allow_hosts') || []).map( function(host) { return host.toLowerCase(); } );
 	}
 	
 	startAll(callback) {