From ec089c47231a62abafdb851950274d33e7ebb4db Mon Sep 17 00:00:00 2001 From: Oliver Gugger Date: Fri, 17 Jul 2020 10:54:59 +0200 Subject: [PATCH] config+proxy: disable static file serving by default --- aperture.go | 4 +++- config.go | 4 ++++ proxy/proxy.go | 18 +++++++++++++++--- proxy/proxy_test.go | 8 ++++---- sample-conf.yaml | 4 ++++ 5 files changed, 30 insertions(+), 8 deletions(-) diff --git a/aperture.go b/aperture.go index 567a50a..f50faa2 100644 --- a/aperture.go +++ b/aperture.go @@ -391,7 +391,9 @@ func createProxy(cfg *config, genInvoiceReq InvoiceRequestGenerator, ServiceLimiter: newStaticServiceLimiter(cfg.Services), }) authenticator := auth.NewLsatAuthenticator(minter) - return proxy.New(authenticator, cfg.Services, cfg.StaticRoot) + return proxy.New( + authenticator, cfg.Services, cfg.ServeStatic, cfg.StaticRoot, + ) } // cleanup closes the given server and shuts down the log rotator. diff --git a/config.go b/config.go index 37ffb8c..155be8b 100644 --- a/config.go +++ b/config.go @@ -61,6 +61,10 @@ type config struct { // is located. StaticRoot string `long:"staticroot" description:"The folder where the static content is located."` + // ServeStatic defines if static content should be served from the + // directory defined by StaticRoot. + ServeStatic bool `long:"servestatic" description:"Flag to enable or disable static content serving."` + Etcd *etcdConfig `long:"etcd" description:"Configuration for the etcd instance backing the proxy."` Authenticator *authConfig `long:"authenticator" description:"Configuration for the authenticator."` diff --git a/proxy/proxy.go b/proxy/proxy.go index 0af70d5..b8cb28c 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -41,10 +41,22 @@ type Proxy struct { // New returns a new Proxy instance that proxies between the services specified, // using the auth to validate each request's headers and get new challenge // headers if necessary. -func New(auth auth.Authenticator, services []*Service, staticRoot string) ( - *Proxy, error) { +func New(auth auth.Authenticator, services []*Service, serveStatic bool, + staticRoot string) (*Proxy, error) { + + // By default the static file server only returns 404 answers for + // security reasons. Serving files from the staticRoot directory has to + // be enabled intentionally. + staticServer := http.NotFoundHandler() + if serveStatic { + if len(strings.TrimSpace(staticRoot)) == 0 { + return nil, fmt.Errorf("staticroot cannot be empty, " + + "must contain path to directory that " + + "contains index.html") + } + staticServer = http.FileServer(http.Dir(staticRoot)) + } - staticServer := http.FileServer(http.Dir(staticRoot)) proxy := &Proxy{ staticServer: staticServer, authenticator: auth, diff --git a/proxy/proxy_test.go b/proxy/proxy_test.go index 43b6369..f8c3afa 100644 --- a/proxy/proxy_test.go +++ b/proxy/proxy_test.go @@ -71,7 +71,7 @@ func TestProxyHTTP(t *testing.T) { }} mockAuth := auth.NewMockAuthenticator() - p, err := proxy.New(mockAuth, services, "static") + p, err := proxy.New(mockAuth, services, true, "static") if err != nil { t.Fatalf("failed to create new proxy: %v", err) } @@ -169,7 +169,7 @@ func TestProxyGRPC(t *testing.T) { // Create the proxy server and start serving on TLS. mockAuth := auth.NewMockAuthenticator() - p, err := proxy.New(mockAuth, services, "static") + p, err := proxy.New(mockAuth, services, true, "static") if err != nil { t.Fatalf("failed to create new proxy: %v", err) } @@ -269,7 +269,7 @@ func TestWhitelistHTTP(t *testing.T) { }} mockAuth := auth.NewMockAuthenticator() - p, err := proxy.New(mockAuth, services, "static") + p, err := proxy.New(mockAuth, services, true, "static") if err != nil { t.Fatalf("failed to create new proxy: %v", err) } @@ -368,7 +368,7 @@ func TestWhitelistGRPC(t *testing.T) { // Create the proxy server and start serving on TLS. mockAuth := auth.NewMockAuthenticator() - p, err := proxy.New(mockAuth, services, "static") + p, err := proxy.New(mockAuth, services, true, "static") if err != nil { t.Fatalf("failed to create new proxy: %v", err) } diff --git a/sample-conf.yaml b/sample-conf.yaml index cc2f2f5..33d1d24 100644 --- a/sample-conf.yaml +++ b/sample-conf.yaml @@ -5,6 +5,10 @@ listenaddr: "localhost:8081" # cannot handle. staticroot: "./static" +# Should the static file server be enabled that serves files from the directory +# specified in `staticroot`? +servestatic: false + # The log level that should be used for the proxy. # # Valid options include: trace, debug, info, warn, error, critical, off.