Add ACL check to HTTP server

cpq · cpq · commit 2743cd5229a2 · 2015-03-26T10:45:36.000Z
diff --git a/fossa.c b/fossa.c
@@ -1334,7 +1334,7 @@ static int parse_net(const char *spec, uint32_t *net, uint32_t *mask) {
 /*
  * Verify given IP address against the ACL.
  *
- * `remote_ip` - an IPv4 address to check, in network byte order
+ * `remote_ip` - an IPv4 address to check, in host byte order
  * `acl` - a comma separated list of IP subnets: `x.x.x.x/x` or `x.x.x.x`.
  * Each subnet is
  * prepended by either a - or a + sign. A plus sign means allow, where a
@@ -3259,6 +3259,7 @@ void ns_serve_http(struct ns_connection *nc, struct http_message *hm,
   char path[NS_MAX_PATH], tmp[NS_MAX_PATH];
   ns_stat_t st;
   int stat_result, is_directory;
+  uint32_t remote_ip = ntohl(*(uint32_t *) &nc->sa.sin.sin_addr);
 
   snprintf(tmp, sizeof(tmp), "%s/%.*s", opts.document_root, (int) hm->uri.len,
            hm->uri.p);
@@ -3267,7 +3268,10 @@ void ns_serve_http(struct ns_connection *nc, struct http_message *hm,
   stat_result = ns_stat(path, &st);
   is_directory = !stat_result && S_ISDIR(st.st_mode);
 
-  if (!is_authorized(hm, path, is_directory, &opts)) {
+  if (ns_check_ip_acl(opts.ip_acl, remote_ip) != 1) {
+    /* Not allowed to connect */
+    nc->flags |= NSF_CLOSE_IMMEDIATELY;
+  } else if (!is_authorized(hm, path, is_directory, &opts)) {
     ns_printf(nc,
               "HTTP/1.1 401 Unauthorized\r\n"
               "WWW-Authenticate: Digest qop=\"auth\", "
diff --git a/fossa.h b/fossa.h
@@ -653,6 +653,9 @@ struct ns_serve_http_opts {
 
   /* SSI files suffix. By default is NULL, SSI is disabled */
   const char *ssi_suffix;
+
+  /* IP ACL. By default, NULL, meaning all IPs are allowed to connect */
+  const char *ip_acl;
 };
 void ns_serve_http(struct ns_connection *, struct http_message *,
                    struct ns_serve_http_opts);
diff --git a/src/http.c b/src/http.c
@@ -1381,6 +1381,7 @@ void ns_serve_http(struct ns_connection *nc, struct http_message *hm,
   char path[NS_MAX_PATH], tmp[NS_MAX_PATH];
   ns_stat_t st;
   int stat_result, is_directory;
+  uint32_t remote_ip = ntohl(*(uint32_t *) &nc->sa.sin.sin_addr);
 
   snprintf(tmp, sizeof(tmp), "%s/%.*s", opts.document_root, (int) hm->uri.len,
            hm->uri.p);
@@ -1389,7 +1390,10 @@ void ns_serve_http(struct ns_connection *nc, struct http_message *hm,
   stat_result = ns_stat(path, &st);
   is_directory = !stat_result && S_ISDIR(st.st_mode);
 
-  if (!is_authorized(hm, path, is_directory, &opts)) {
+  if (ns_check_ip_acl(opts.ip_acl, remote_ip) != 1) {
+    /* Not allowed to connect */
+    nc->flags |= NSF_CLOSE_IMMEDIATELY;
+  } else if (!is_authorized(hm, path, is_directory, &opts)) {
     ns_printf(nc,
               "HTTP/1.1 401 Unauthorized\r\n"
               "WWW-Authenticate: Digest qop=\"auth\", "
diff --git a/src/http.h b/src/http.h
@@ -127,6 +127,9 @@ struct ns_serve_http_opts {
 
   /* SSI files suffix. By default is NULL, SSI is disabled */
   const char *ssi_suffix;
+
+  /* IP ACL. By default, NULL, meaning all IPs are allowed to connect */
+  const char *ip_acl;
 };
 void ns_serve_http(struct ns_connection *, struct http_message *,
                    struct ns_serve_http_opts);
diff --git a/src/net.c b/src/net.c
@@ -1166,7 +1166,7 @@ static int parse_net(const char *spec, uint32_t *net, uint32_t *mask) {
 /*
  * Verify given IP address against the ACL.
  *
- * `remote_ip` - an IPv4 address to check, in network byte order
+ * `remote_ip` - an IPv4 address to check, in host byte order
  * `acl` - a comma separated list of IP subnets: `x.x.x.x/x` or `x.x.x.x`.
  * Each subnet is
  * prepended by either a - or a + sign. A plus sign means allow, where a
diff --git a/test/unit_test.c b/test/unit_test.c
@@ -230,13 +230,13 @@ static const char *test_to64(void) {
 }
 
 static const char *test_check_ip_acl(void) {
-  uint32_t ip = htonl(0x01010101);
+  uint32_t ip = 0x01020304;
   ASSERT(ns_check_ip_acl(NULL, ip) == 1);
   ASSERT(ns_check_ip_acl("", ip) == 1);
   ASSERT(ns_check_ip_acl("invalid", ip) == -1);
   ASSERT(ns_check_ip_acl("-0.0.0.0/0", ip) == 0);
   ASSERT(ns_check_ip_acl("-0.0.0.0/0,+1.0.0.0/8", ip) == 1);
-  ASSERT(ns_check_ip_acl("-0.0.0.0/0,+1.1.1.1", ip) == 1);
+  ASSERT(ns_check_ip_acl("-0.0.0.0/0,+1.2.3.4", ip) == 1);
   ASSERT(ns_check_ip_acl("-0.0.0.0/0,+1.0.0.0/16", ip) == 0);
   return NULL;
 }

Original file line number	Diff line number	Diff line change
`@@ -1166,7 +1166,7 @@ static int parse_net(const char spec, uint32_t net, uint32_t *mask) {`
`1166`	`1166`	`/*`
`1167`	`1167`	`* Verify given IP address against the ACL.`
`1168`	`1168`	`*`
`1169`		- * `remote_ip` - an IPv4 address to check, in network byte order
	`1169`	+ * `remote_ip` - an IPv4 address to check, in host byte order
`1170`	`1170`	* `acl` - a comma separated list of IP subnets: `x.x.x.x/x` or `x.x.x.x`.
`1171`	`1171`	`* Each subnet is`
`1172`	`1172`	`* prepended by either a - or a + sign. A plus sign means allow, where a`