fix header plugin phase not called for internal request (fixes CORS), fix bunkernet init_worker bug where ngx.ctx.bw is not available, add CORS_DENY_REQUEST setting and edit values for core/cors tests

TODO

@@ -3,4 +3,5 @@
 - Plugins
 - sessions helpers in utils
 - sessions security : check IP address, check UA, ...
+- CORS : edit security tuning doc + edit example
 - fix db warnings (Got an error reading communication packets)

src/common/confs/server-http/header-lua.conf

@@ -6,14 +6,8 @@ local helpers		= require "bunkerweb.helpers"
 local cdatastore	= require "bunkerweb.datastore"
 local cjson         = require "cjson"
 
--- Don't process internal requests
-local logger = clogger:new("HEADER")
-if ngx.req.is_internal() then
-	logger:log(ngx.INFO, "skipped header phase because request is internal")
-	return true
-end
-
 -- Start set phase
+local logger = clogger:new("HEADER")
 local datastore = cdatastore:new()
 logger:log(ngx.INFO, "header phase started")
 

src/common/core/bunkernet/bunkernet.lua

@@ -15,8 +15,8 @@ function bunkernet:initialize()
 		local id, err = self.datastore:get("plugin_bunkernet_id")
 		if id then
 			self.bunkernet_id = id
-			self.version = ngx.ctx.bw.version
-			self.integration = ngx.ctx.bw.integration
+			self.version = ngx.ctx.bw and ngx.ctx.bw.version or utils.get_version()
+			self.integration = ngx.ctx.bw and ngx.ctw.bw.integration or utils.get_integration()
 		else
 			self.logger:log(ngx.ERR, "can't get BunkerNet ID from datastore : " .. err)
 		end
@@ -57,8 +57,8 @@ function bunkernet:init_worker()
 	if status ~= 200 then
 		return self:ret(false, "received status " .. tostring(status) .. " from API using instance ID " .. self.bunkernet_id)
 	end
-	self.logger:log(ngx.NOTICE, "connectivity with API using instance ID " .. self.id .. " is successful")
-	return self:ret(true, "connectivity with API using instance ID " .. self.id .. " is successful")
+	self.logger:log(ngx.NOTICE, "connectivity with API using instance ID " .. self.bunkernet_id .. " is successful")
+	return self:ret(true, "connectivity with API using instance ID " .. self.bunkernet_id .. " is successful")
 end
 
 function bunkernet:init()

src/common/core/cors/cors.lua

@@ -77,6 +77,13 @@ function cors:access()
 	if self.variables["USE_CORS"] ~= "yes" then
 		return self:ret(true, "service doesn't use CORS")
 	end
+	-- Deny as soon as possible if needed
+	if self.variables["CORS_DENY_REQUEST"] == "yes" and ngx.ctx.bw.http_origin then
+		if self.variables["CORS_ALLOW_ORIGIN"] ~= "*" and not ngx.ctx.bw.http_origin:match(self.variables["CORS_ALLOW_ORIGIN"]) then
+			self.logger:log(ngx.WARN, "origin " .. ngx.ctx.bw.http_origin .. " is not allowed")
+			return self:ret(true, "origin " .. ngx.ctx.bw.http_origin .. " is not allowed, denying access", utils.get_deny_status())
+		end
+	end
 	-- Send CORS policy with a 204 (no content) status
 	if ngx.ctx.bw.request_method == "OPTIONS" and ngx.ctx.bw.http_origin then
 		return self:ret(true, "preflight request", ngx.HTTP_NO_CONTENT)

src/common/core/cors/plugin.json

@@ -68,6 +68,15 @@
       "label": "Access-Control-Allow-Headers value",
       "regex": "^(\\*|(?![, ])(,? ?([\\w-]+)(?!.*\\3(?!.)))*)?$",
       "type": "text"
+    },
+    "CORS_DENY_REQUEST": {
+      "context": "multisite",
+      "default": "yes",
+      "help": "Deny request and don't send it to backend if Origin is not allowed.",
+      "id": "cors-deny-request",
+      "label": "Deny request",
+      "regex": "^(yes|no)$",
+      "type": "check"
     }
   }
 }

tests/core/cors/test.sh

@@ -20,7 +20,7 @@ cleanup_stack () {
     exit_code=$?
     if [[ $end -eq 1 || $exit_code = 1 ]] || [[ $end -eq 0 && $exit_code = 0 ]] && [ $manual = 0 ] ; then
         find . -type f -name 'docker-compose.*' -exec sed -i 's@USE_CORS: "yes"@USE_CORS: "no"@' {} \;
-        find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_ORIGIN: "http://www.example.com"@CORS_ALLOW_ORIGIN: "\*"@' {} \;
+        find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_ORIGIN: "https://www%.example%.com"@CORS_ALLOW_ORIGIN: "\*"@' {} \;
         find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_EXPOSE_HEADERS: "X-Test"@CORS_EXPOSE_HEADERS: "Content-Length,Content-Range"@' {} \;
         find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_MAX_AGE: "3600"@CORS_MAX_AGE: "86400"@' {} \;
         find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_CREDENTIALS: "yes"@CORS_ALLOW_CREDENTIALS: "no"@' {} \;
@@ -54,11 +54,11 @@ do
         echo "🛰️ Running tests with cors ..."
         find . -type f -name 'docker-compose.*' -exec sed -i 's@USE_CORS: "no"@USE_CORS: "yes"@' {} \;
     elif [ "$test" = "allow_origin" ] ; then
-        echo "🛰️ Running tests with cors allow origin set to http://www.example.com ..."
-        find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_ORIGIN: "\*"@CORS_ALLOW_ORIGIN: "http://www.example.com"@' {} \;
+        echo "🛰️ Running tests with cors allow origin set to https://www.example.com ..."
+        find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_ORIGIN: "\*"@CORS_ALLOW_ORIGIN: "https://www%.example%.com"@' {} \;
     elif [ "$test" = "expose_headers" ] ; then
         echo "🛰️ Running tests with cors expose headers set to X-Test ..."
-        find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_ORIGIN: "http://www.example.com"@CORS_ALLOW_ORIGIN: "\*"@' {} \;
+        find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_ORIGIN: "https://www%.example%.com"@CORS_ALLOW_ORIGIN: "\*"@' {} \;
         find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_EXPOSE_HEADERS: "Content-Length,Content-Range"@CORS_EXPOSE_HEADERS: "X-Test"@' {} \;
     elif [ "$test" = "max_age" ] ; then
         echo "🛰️ Running tests with cors max age set to 3600 ..."