http server security improve

master v2.1.0.beta.8
兔子 8 months ago
parent 44678fa0ff
commit 1d478bef0a

@ -79,7 +79,7 @@ func fileFinder(path string, reg string, onlyFilterName bool, outpath string, sh
} }
return "" return ""
} }
fp := new(os.File) var fp *os.File
if outpath != "" { if outpath != "" {
fp, err = os.Create(outpath) fp, err = os.Create(outpath)
if err != nil { if err != nil {

@ -30,6 +30,9 @@ func init() {
Cmd.Flags().StringVarP(&s.key, "ssl-key", "k", "", "TLS密钥路径") Cmd.Flags().StringVarP(&s.key, "ssl-key", "k", "", "TLS密钥路径")
Cmd.Flags().BoolVarP(&s.disableMIME, "disablemime", "m", false, "停止解析MIME全部按下载文件处理") Cmd.Flags().BoolVarP(&s.disableMIME, "disablemime", "m", false, "停止解析MIME全部按下载文件处理")
Cmd.Flags().StringSliceVarP(&s.protectAuthPage, "protect-page", "P", []string{}, "Basic Auth 开启白名单") Cmd.Flags().StringSliceVarP(&s.protectAuthPage, "protect-page", "P", []string{}, "Basic Auth 开启白名单")
Cmd.Flags().StringVar(&s.page401, "401", "", "自定义401页面地址")
Cmd.Flags().StringVar(&s.page403, "403", "", "自定义403页面地址")
Cmd.Flags().StringVar(&s.page404, "404", "", "自定义404页面地址")
Cmd.Flags().Bool("daeapplied", false, "") Cmd.Flags().Bool("daeapplied", false, "")
Cmd.Flags().MarkHidden("daeapplied") Cmd.Flags().MarkHidden("daeapplied")
} }

@ -37,6 +37,9 @@ type HttpServerCfg struct {
key string key string
addr string addr string
port string port string
page404 string
page403 string
page401 string
protectAuthPage []string protectAuthPage []string
disableMIME bool disableMIME bool
ctx context.Context ctx context.Context
@ -338,15 +341,27 @@ func (h *HttpServer) Run(ctx context.Context) error {
if strings.Contains(v.Flags.String(), "up") { if strings.Contains(v.Flags.String(), "up") {
addrs, err := v.Addrs() addrs, err := v.Addrs()
if err == nil { if err == nil {
var ips []string
for _, ip := range addrs { for _, ip := range addrs {
ips = append(ips, ip.String()) starlog.Cyan("Name:%s\tIP:%s\n", v.Name, ip)
} }
starlog.Noticef("Name:%s IP:%s MAC:%s\n", v.Name, strings.Join(ips, ","), v.HardwareAddr)
} }
} }
} }
} }
h.envPath, err = filepath.Abs(h.envPath)
if err != nil {
starlog.Errorln("Failed to get abs path of", h.envPath)
return err
}
uconn, err := net.Dial("udp", "106.55.44.79:80")
if err == nil {
schema := "http://"
if h.cert != "" {
schema = "https://"
}
starlog.Infof("Visit: %s%s:%s\n", schema, uconn.LocalAddr().(*net.UDPAddr).IP.String(), h.port)
uconn.Close()
}
starlog.Infoln("Listening on " + h.addr + ":" + h.port) starlog.Infoln("Listening on " + h.addr + ":" + h.port)
if h.cert == "" { if h.cert == "" {
if err := server.ListenAndServe(); err != http.ErrServerClosed { if err := server.ListenAndServe(); err != http.ErrServerClosed {
@ -364,9 +379,39 @@ func (h *HttpServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
h.Listen(w, r) h.Listen(w, r)
} }
func (h *HttpServer) GiveBasicAuth(w http.ResponseWriter) { func (h *HttpServer) Page404(w http.ResponseWriter) {
w.Header().Set("WWW-Authenticate", ` Basic realm="Please Enter Passwd"`) w.WriteHeader(404)
if h.page404 != "" {
data, err := os.ReadFile(h.page404)
if err == nil {
w.Write(data)
return
}
}
w.Write([]byte(`<html><title>B612 Http Server</title><body><h1 "style="text-align: center;">404 NOT FOUND</h1><hr ></body></html>`))
}
func (h *HttpServer) Page403(w http.ResponseWriter) {
w.WriteHeader(403)
if h.page403 != "" {
data, err := os.ReadFile(h.page403)
if err == nil {
w.Write(data)
return
}
}
w.Write([]byte(`<html><title>B612 Http Server</title><body><h1 "style="text-align: center;">403 Forbidden</h1><hr ></body></html>`))
}
func (h *HttpServer) Page401(w http.ResponseWriter) {
w.WriteHeader(401) w.WriteHeader(401)
if h.page401 != "" {
data, err := os.ReadFile(h.page401)
if err == nil {
w.Write(data)
return
}
}
w.Write([]byte(` w.Write([]byte(`
<html> <html>
<head><title>401 Authorization Required</title></head> <head><title>401 Authorization Required</title></head>
@ -377,6 +422,11 @@ func (h *HttpServer) GiveBasicAuth(w http.ResponseWriter) {
</html>`)) </html>`))
} }
func (h *HttpServer) GiveBasicAuth(w http.ResponseWriter) {
w.Header().Set("WWW-Authenticate", ` Basic realm="Please Enter Passwd"`)
h.Page401(w)
}
func (h *HttpServer) BasicAuth(log *starlog.StarLogger, w http.ResponseWriter, r *http.Request) bool { func (h *HttpServer) BasicAuth(log *starlog.StarLogger, w http.ResponseWriter, r *http.Request) bool {
if h.basicAuthPwd != "" { if h.basicAuthPwd != "" {
if len(h.protectAuthPage) != 0 { if len(h.protectAuthPage) != 0 {
@ -429,6 +479,8 @@ func (h *HttpServer) SetUpload(w http.ResponseWriter, r *http.Request, path stri
} }
func (h *HttpServer) Listen(w http.ResponseWriter, r *http.Request) { func (h *HttpServer) Listen(w http.ResponseWriter, r *http.Request) {
log := starlog.Std.NewFlag() log := starlog.Std.NewFlag()
log.SetShowFuncName(false)
log.SetShowOriginFile(false)
w.Header().Set("X-Powered-By", "B612.ME") w.Header().Set("X-Powered-By", "B612.ME")
w.Header().Set("Server", "B612/"+version) w.Header().Set("Server", "B612/"+version)
if !h.BasicAuth(log, w, r) { if !h.BasicAuth(log, w, r) {
@ -439,14 +491,24 @@ func (h *HttpServer) Listen(w http.ResponseWriter, r *http.Request) {
h.uploadFile(w, r) h.uploadFile(w, r)
return return
} }
fullpath := filepath.Join(h.envPath, path) ua := r.Header.Get("User-Agent")
fullpath := filepath.Clean(filepath.Join(h.envPath, path))
{
//security check
if fullpath != h.envPath && !strings.HasPrefix(fullpath, h.envPath) {
log.Warningf("Invalid Path %s IP:%s Fullpath:%s\n", path, r.RemoteAddr, fullpath)
h.Page403(w)
return
}
}
if h.indexFile != "" && staros.IsFolder(fullpath) { if h.indexFile != "" && staros.IsFolder(fullpath) {
if staros.Exists(filepath.Join(fullpath, h.indexFile)) { if staros.Exists(filepath.Join(fullpath, h.indexFile)) {
fullpath = filepath.Join(fullpath, h.indexFile) fullpath = filepath.Join(fullpath, h.indexFile)
path = filepath.Join(path, h.indexFile) path = filepath.Join(path, h.indexFile)
} }
} }
log.Noticef("Start Method:%s Path:%s IP:%s\n", r.Method, path, r.RemoteAddr) now := time.Now()
if h.SetUpload(w, r, path) { if h.SetUpload(w, r, path) {
return return
} }
@ -454,9 +516,9 @@ func (h *HttpServer) Listen(w http.ResponseWriter, r *http.Request) {
case "OPTIONS", "HEAD": case "OPTIONS", "HEAD":
err := h.BuildHeader(w, r, fullpath) err := h.BuildHeader(w, r, fullpath)
if err != nil { if err != nil {
log.Warningf("Finished Method:%s Path:%s IP:%s Err:%v\n", r.Method, path, r.RemoteAddr, err) log.Warningf("%s %s From %s %s %.2fs %v\n", r.Method, path, r.RemoteAddr, ua, time.Since(now).Seconds(), err)
} else { } else {
log.Infof("Finished Method:%s Path:%s IP:%s\n", r.Method, path, r.RemoteAddr) log.Infof("%s %s From %s %s %.2fs \n", r.Method, path, r.RemoteAddr, ua, time.Since(now).Seconds())
} }
case "GET": case "GET":
err := h.BuildHeader(w, r, fullpath) err := h.BuildHeader(w, r, fullpath)
@ -465,12 +527,12 @@ func (h *HttpServer) Listen(w http.ResponseWriter, r *http.Request) {
} }
err = h.ResponseGet(log, w, r, fullpath) err = h.ResponseGet(log, w, r, fullpath)
if err != nil { if err != nil {
log.Warningf("Finished Method %s Path:%s IP:%s Err:%v\n", r.Method, path, r.RemoteAddr, err) log.Warningf("%s %s From %s %s %.2fs %v\n", r.Method, path, r.RemoteAddr, ua, time.Since(now).Seconds(), err)
return return
} }
log.Infof("Finished Method:%s Path:%s IP:%s\n", r.Method, path, r.RemoteAddr) log.Infof("%s %s From %s %s %.2fs \n", r.Method, path, r.RemoteAddr, ua, time.Since(now).Seconds())
default: default:
log.Warningf("Invalid Method %s Path:%s IP:%s\n", r.Method, path, r.RemoteAddr) log.Errorf("Invalid %s %s From %s %s %.2fs %v\n", r.Method, path, r.RemoteAddr, ua, time.Since(now).Seconds())
return return
} }
} }
@ -619,8 +681,7 @@ func (h *HttpServer) getFolder(log *starlog.StarLogger, w http.ResponseWriter, r
func (h *HttpServer) getFile(log *starlog.StarLogger, w http.ResponseWriter, r *http.Request, fullpath string) error { func (h *HttpServer) getFile(log *starlog.StarLogger, w http.ResponseWriter, r *http.Request, fullpath string) error {
if !staros.Exists(fullpath) { if !staros.Exists(fullpath) {
w.WriteHeader(404) h.Page404(w)
w.Write([]byte(`<html><title>B612 Http Server</title><body><h1 "style="text-align: center;">404 NOT FOUND</h1><hr ></body></html>`))
return errors.New("File Not Found! 404 ERROR") return errors.New("File Not Found! 404 ERROR")
} }
//starlog.Debugln(r.Header) //starlog.Debugln(r.Header)
@ -711,7 +772,7 @@ func (h *HttpServer) getFile(log *starlog.StarLogger, w http.ResponseWriter, r *
} }
return nil return nil
} }
log.Debugf("206 transfer mode for %v %v\n", r.URL.Path, r.RemoteAddr) log.Debugf("206 transfer mode for %v %v start %v end %v\n", r.URL.Path, r.RemoteAddr, startRange, endRange)
w.WriteHeader(206) w.WriteHeader(206)
fp.Seek(int64(startRange), 0) fp.Seek(int64(startRange), 0)
count := startRange count := startRange

@ -41,7 +41,7 @@ import (
var cmdRoot = &cobra.Command{ var cmdRoot = &cobra.Command{
Use: "b612", Use: "b612",
Version: "2.1.0.beta.6", Version: "2.1.0.beta.8",
} }
func init() { func init() {

Loading…
Cancel
Save