pixl-server-web 2.0.4 → 2.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -8
- package/lib/https.js +13 -4
- package/lib/request.js +1 -1
- package/package.json +1 -1
- package/web_server.js +1 -0
package/README.md
CHANGED
|
@@ -35,6 +35,7 @@ This module is a component for use in [pixl-server](https://www.github.com/jhuck
|
|
|
35
35
|
* [http_brotli_opts](#http_brotli_opts)
|
|
36
36
|
* [http_default_acl](#http_default_acl)
|
|
37
37
|
* [http_blacklist](#http_blacklist)
|
|
38
|
+
* [http_allow_hosts](#http_allow_hosts)
|
|
38
39
|
* [http_rewrites](#http_rewrites)
|
|
39
40
|
* [http_redirects](#http_redirects)
|
|
40
41
|
* [http_log_requests](#http_log_requests)
|
|
@@ -68,6 +69,7 @@ This module is a component for use in [pixl-server](https://www.github.com/jhuck
|
|
|
68
69
|
* [https_force](#https_force)
|
|
69
70
|
* [https_header_detect](#https_header_detect)
|
|
70
71
|
* [https_timeout](#https_timeout)
|
|
72
|
+
* [https_bind_address](#https_bind_address)
|
|
71
73
|
- [Custom URI Handlers](#custom-uri-handlers)
|
|
72
74
|
* [Access Control Lists](#access-control-lists)
|
|
73
75
|
* [Internal File Redirects](#internal-file-redirects)
|
|
@@ -443,24 +445,18 @@ When a new incoming connection is established, the socket IP is immediately chec
|
|
|
443
445
|
|
|
444
446
|
## http_allow_hosts
|
|
445
447
|
|
|
446
|
-
The `http_allow_hosts` property allows you to specify a
|
|
448
|
+
The `http_allow_hosts` property allows you to specify a limited set of hosts to allow for incoming requests. Specifically, this matches the incoming HTTP `Host` request header, or SNI (TLS handshake) host for HTTPS, and the value must match at least one entry in the array (case-insensitive). For example, if you are hosting your application behind a domain name, you may want to restrict incoming requests so that they must explicitly point to your domain name. Here is how to set this up:
|
|
447
449
|
|
|
448
450
|
```json
|
|
449
451
|
"http_allow_hosts": ["mydomain.com"]
|
|
450
452
|
```
|
|
451
453
|
|
|
452
|
-
In the above example, only requests to `mydomain.com` would be allowed. All other domains or IP addresses in the URL would be rejected with a `HTTP 403 Forbidden` error. Include multiple entries in the array for things like subdomains:
|
|
454
|
+
In the above example, only requests to `mydomain.com` would be allowed. All other domains or IP addresses in the URL would be rejected with a `HTTP 403 Forbidden` error (or in the case of SNI / TLS handshake the socket is simply closed). Include multiple entries in the array for things like subdomains:
|
|
453
455
|
|
|
454
456
|
```json
|
|
455
457
|
"http_allow_hosts": ["mydomain.com", "www.mydomain.com"]
|
|
456
458
|
```
|
|
457
459
|
|
|
458
|
-
Note that if your users have to specify a port number in the URL, this must be specified in the `http_allow_hosts` array as well (it matches the `Host` request header exactly). So for example, if you are hosting an app on a non-standard port number, but you want to restrict the host, include the port like this:
|
|
459
|
-
|
|
460
|
-
```json
|
|
461
|
-
"http_allow_hosts": ["mydomain.com:3000"]
|
|
462
|
-
```
|
|
463
|
-
|
|
464
460
|
If the `http_allow_hosts` array is empty or omitted entirely, all hosts are allowed. This is the default behavior.
|
|
465
461
|
|
|
466
462
|
## http_rewrites
|
package/lib/https.js
CHANGED
|
@@ -56,7 +56,7 @@ module.exports = class HTTP2 {
|
|
|
56
56
|
|
|
57
57
|
if (max_conns && (self.numConns >= max_conns)) {
|
|
58
58
|
// reached maximum concurrent connections, abort new ones
|
|
59
|
-
self.logError('maxconns', "Maximum concurrent connections reached, denying request from: " + ip, { ip: ip, port: port, max: max_conns });
|
|
59
|
+
self.logError('maxconns', "Maximum concurrent connections reached, denying request from: " + ip, { host: socket.servername || '', ip: ip, port: port, max: max_conns });
|
|
60
60
|
socket.end();
|
|
61
61
|
socket.unref();
|
|
62
62
|
socket.destroy(); // hard close
|
|
@@ -65,14 +65,23 @@ module.exports = class HTTP2 {
|
|
|
65
65
|
}
|
|
66
66
|
if (self.server.shut) {
|
|
67
67
|
// server is shutting down, abort new connections
|
|
68
|
-
self.logError('shutdown', "Server is shutting down, denying connection from: " + ip, { ip: ip, port: port});
|
|
68
|
+
self.logError('shutdown', "Server is shutting down, denying connection from: " + ip, { host: socket.servername || '', ip: ip, port: port});
|
|
69
69
|
socket.end();
|
|
70
70
|
socket.unref();
|
|
71
71
|
socket.destroy(); // hard close
|
|
72
72
|
return;
|
|
73
73
|
}
|
|
74
74
|
if (ip && self.aclBlacklist.checkAny(ip)) {
|
|
75
|
-
self.logError('blacklist', "IP is blacklisted, denying connection from: " + ip, { ip: ip, port: port });
|
|
75
|
+
self.logError('blacklist', "IP is blacklisted, denying connection from: " + ip, { host: socket.servername || '', ip: ip, port: port });
|
|
76
|
+
socket.end();
|
|
77
|
+
socket.unref();
|
|
78
|
+
socket.destroy(); // hard close
|
|
79
|
+
return;
|
|
80
|
+
}
|
|
81
|
+
|
|
82
|
+
// SNI: check allow list at socket connect time
|
|
83
|
+
if (self.httpsAllowHosts.length && !self.httpsAllowHosts.includes( ('' + socket.servername).toLowerCase() )) {
|
|
84
|
+
self.logError('allowhosts', "SNI host not allowed: " + (socket.servername || 'n/a'), { host: socket.servername || '', ip: ip, port: port });
|
|
76
85
|
socket.end();
|
|
77
86
|
socket.unref();
|
|
78
87
|
socket.destroy(); // hard close
|
|
@@ -82,7 +91,7 @@ module.exports = class HTTP2 {
|
|
|
82
91
|
var id = self.getNextId('cs');
|
|
83
92
|
self.conns[ id ] = socket;
|
|
84
93
|
self.numConns++;
|
|
85
|
-
self.logDebug(8, "New incoming HTTPS (SSL) connection: " + id, { ip: ip, port: port, num_conns: self.numConns });
|
|
94
|
+
self.logDebug(8, "New incoming HTTPS (SSL) connection: " + id, { host: socket.servername || '', ip: ip, port: port, num_conns: self.numConns });
|
|
86
95
|
|
|
87
96
|
// Disable the Nagle algorithm.
|
|
88
97
|
socket.setNoDelay( true );
|
package/lib/request.js
CHANGED
|
@@ -72,7 +72,7 @@ module.exports = class Request {
|
|
|
72
72
|
}
|
|
73
73
|
|
|
74
74
|
// custom host allow list
|
|
75
|
-
if (this.allowHosts.length && !this.allowHosts.includes( ('' + request.headers['host']).toLowerCase() )) {
|
|
75
|
+
if (this.allowHosts.length && !this.allowHosts.includes( ('' + request.headers['host']).toLowerCase().replace(/\:\d+$/, '') )) {
|
|
76
76
|
this.logError(403, "Forbidden: Host not allowed: " + (request.headers['host'] || 'n/a'), {
|
|
77
77
|
id: args.id,
|
|
78
78
|
host: request.headers['host'] || '',
|
package/package.json
CHANGED
package/web_server.js
CHANGED
|
@@ -247,6 +247,7 @@ class WebServer extends Component {
|
|
|
247
247
|
|
|
248
248
|
// custom host list
|
|
249
249
|
this.allowHosts = (this.config.get('http_allow_hosts') || []).map( function(host) { return host.toLowerCase(); } );
|
|
250
|
+
this.httpsAllowHosts = (this.config.get('https_allow_hosts') || this.config.get('http_allow_hosts') || []).map( function(host) { return host.toLowerCase(); } );
|
|
250
251
|
}
|
|
251
252
|
|
|
252
253
|
startAll(callback) {
|