fix header plugin phase not called for internal request (fixes CORS), fix bunkernet init_worker bug where ngx.ctx.bw is not available, add CORS_DENY_REQUEST setting and edit values for core/cors tests
This commit is contained in:
parent
8386621419
commit
7d84e03a15
1
TODO
1
TODO
|
@ -3,4 +3,5 @@
|
|||
- Plugins
|
||||
- sessions helpers in utils
|
||||
- sessions security : check IP address, check UA, ...
|
||||
- CORS : edit security tuning doc + edit example
|
||||
- fix db warnings (Got an error reading communication packets)
|
||||
|
|
|
@ -6,14 +6,8 @@ local helpers = require "bunkerweb.helpers"
|
|||
local cdatastore = require "bunkerweb.datastore"
|
||||
local cjson = require "cjson"
|
||||
|
||||
-- Don't process internal requests
|
||||
local logger = clogger:new("HEADER")
|
||||
if ngx.req.is_internal() then
|
||||
logger:log(ngx.INFO, "skipped header phase because request is internal")
|
||||
return true
|
||||
end
|
||||
|
||||
-- Start set phase
|
||||
local logger = clogger:new("HEADER")
|
||||
local datastore = cdatastore:new()
|
||||
logger:log(ngx.INFO, "header phase started")
|
||||
|
||||
|
|
|
@ -15,8 +15,8 @@ function bunkernet:initialize()
|
|||
local id, err = self.datastore:get("plugin_bunkernet_id")
|
||||
if id then
|
||||
self.bunkernet_id = id
|
||||
self.version = ngx.ctx.bw.version
|
||||
self.integration = ngx.ctx.bw.integration
|
||||
self.version = ngx.ctx.bw and ngx.ctx.bw.version or utils.get_version()
|
||||
self.integration = ngx.ctx.bw and ngx.ctw.bw.integration or utils.get_integration()
|
||||
else
|
||||
self.logger:log(ngx.ERR, "can't get BunkerNet ID from datastore : " .. err)
|
||||
end
|
||||
|
@ -57,8 +57,8 @@ function bunkernet:init_worker()
|
|||
if status ~= 200 then
|
||||
return self:ret(false, "received status " .. tostring(status) .. " from API using instance ID " .. self.bunkernet_id)
|
||||
end
|
||||
self.logger:log(ngx.NOTICE, "connectivity with API using instance ID " .. self.id .. " is successful")
|
||||
return self:ret(true, "connectivity with API using instance ID " .. self.id .. " is successful")
|
||||
self.logger:log(ngx.NOTICE, "connectivity with API using instance ID " .. self.bunkernet_id .. " is successful")
|
||||
return self:ret(true, "connectivity with API using instance ID " .. self.bunkernet_id .. " is successful")
|
||||
end
|
||||
|
||||
function bunkernet:init()
|
||||
|
|
|
@ -77,6 +77,13 @@ function cors:access()
|
|||
if self.variables["USE_CORS"] ~= "yes" then
|
||||
return self:ret(true, "service doesn't use CORS")
|
||||
end
|
||||
-- Deny as soon as possible if needed
|
||||
if self.variables["CORS_DENY_REQUEST"] == "yes" and ngx.ctx.bw.http_origin then
|
||||
if self.variables["CORS_ALLOW_ORIGIN"] ~= "*" and not ngx.ctx.bw.http_origin:match(self.variables["CORS_ALLOW_ORIGIN"]) then
|
||||
self.logger:log(ngx.WARN, "origin " .. ngx.ctx.bw.http_origin .. " is not allowed")
|
||||
return self:ret(true, "origin " .. ngx.ctx.bw.http_origin .. " is not allowed, denying access", utils.get_deny_status())
|
||||
end
|
||||
end
|
||||
-- Send CORS policy with a 204 (no content) status
|
||||
if ngx.ctx.bw.request_method == "OPTIONS" and ngx.ctx.bw.http_origin then
|
||||
return self:ret(true, "preflight request", ngx.HTTP_NO_CONTENT)
|
||||
|
|
|
@ -68,6 +68,15 @@
|
|||
"label": "Access-Control-Allow-Headers value",
|
||||
"regex": "^(\\*|(?![, ])(,? ?([\\w-]+)(?!.*\\3(?!.)))*)?$",
|
||||
"type": "text"
|
||||
},
|
||||
"CORS_DENY_REQUEST": {
|
||||
"context": "multisite",
|
||||
"default": "yes",
|
||||
"help": "Deny request and don't send it to backend if Origin is not allowed.",
|
||||
"id": "cors-deny-request",
|
||||
"label": "Deny request",
|
||||
"regex": "^(yes|no)$",
|
||||
"type": "check"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -20,7 +20,7 @@ cleanup_stack () {
|
|||
exit_code=$?
|
||||
if [[ $end -eq 1 || $exit_code = 1 ]] || [[ $end -eq 0 && $exit_code = 0 ]] && [ $manual = 0 ] ; then
|
||||
find . -type f -name 'docker-compose.*' -exec sed -i 's@USE_CORS: "yes"@USE_CORS: "no"@' {} \;
|
||||
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_ORIGIN: "http://www.example.com"@CORS_ALLOW_ORIGIN: "\*"@' {} \;
|
||||
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_ORIGIN: "https://www%.example%.com"@CORS_ALLOW_ORIGIN: "\*"@' {} \;
|
||||
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_EXPOSE_HEADERS: "X-Test"@CORS_EXPOSE_HEADERS: "Content-Length,Content-Range"@' {} \;
|
||||
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_MAX_AGE: "3600"@CORS_MAX_AGE: "86400"@' {} \;
|
||||
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_CREDENTIALS: "yes"@CORS_ALLOW_CREDENTIALS: "no"@' {} \;
|
||||
|
@ -54,11 +54,11 @@ do
|
|||
echo "🛰️ Running tests with cors ..."
|
||||
find . -type f -name 'docker-compose.*' -exec sed -i 's@USE_CORS: "no"@USE_CORS: "yes"@' {} \;
|
||||
elif [ "$test" = "allow_origin" ] ; then
|
||||
echo "🛰️ Running tests with cors allow origin set to http://www.example.com ..."
|
||||
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_ORIGIN: "\*"@CORS_ALLOW_ORIGIN: "http://www.example.com"@' {} \;
|
||||
echo "🛰️ Running tests with cors allow origin set to https://www.example.com ..."
|
||||
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_ORIGIN: "\*"@CORS_ALLOW_ORIGIN: "https://www%.example%.com"@' {} \;
|
||||
elif [ "$test" = "expose_headers" ] ; then
|
||||
echo "🛰️ Running tests with cors expose headers set to X-Test ..."
|
||||
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_ORIGIN: "http://www.example.com"@CORS_ALLOW_ORIGIN: "\*"@' {} \;
|
||||
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_ALLOW_ORIGIN: "https://www%.example%.com"@CORS_ALLOW_ORIGIN: "\*"@' {} \;
|
||||
find . -type f -name 'docker-compose.*' -exec sed -i 's@CORS_EXPOSE_HEADERS: "Content-Length,Content-Range"@CORS_EXPOSE_HEADERS: "X-Test"@' {} \;
|
||||
elif [ "$test" = "max_age" ] ; then
|
||||
echo "🛰️ Running tests with cors max age set to 3600 ..."
|
||||
|
|
Loading…
Reference in New Issue