diff --git a/chart/templates/config.yaml b/chart/templates/config.yaml index 8ad6d57..937cf0b 100644 --- a/chart/templates/config.yaml +++ b/chart/templates/config.yaml @@ -4,7 +4,7 @@ metadata: name: {{ include "webapp.name" . }}-config namespace: {{ .Release.Namespace }} data: - OAUTH_ALLOWED_HOST: webapp.arcodange.duckdns.org - OAUTH_DEVICE_CODE_ALLOWED_IPS: 86.238.234.54, + OAUTH_ALLOWED_HOSTS: webapp.arcodange.duckdns.org,webapp.arcodange.fr + # OAUTH_DEVICE_CODE_ALLOWED_IPS: 86.238.234.54, DATABASE_URL: postgres://pgbouncer_auth:pgbouncer_auth@pgbouncer.tools/postgres?sslmode=disable # DATABASE_URL: postgres://username:password@localhost/dbname?sslmode=disable \ No newline at end of file diff --git a/chart/templates/localIngress.yaml b/chart/templates/localIngress.yaml new file mode 100644 index 0000000..5ac652e --- /dev/null +++ b/chart/templates/localIngress.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + argocd.argoproj.io/tracking-id: webapp:networking.k8s.io/Ingress:webapp/webapp + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.middlewares: localIp@file + traefik.ingress.kubernetes.io/router.tls: 'true' + traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt + traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.duckdns.org + traefik.ingress.kubernetes.io/router.tls.domains.0.sans: webapp.arcodange.duckdns.org + name: webapp-local + namespace: webapp +spec: + rules: + - host: webapp.arcodange.duckdns.org + http: + paths: + - backend: + service: + name: webapp + port: + number: 8080 + path: / + pathType: Prefix \ No newline at end of file diff --git a/main.go b/main.go index ed8475f..36c00a6 100644 --- a/main.go +++ b/main.go @@ -21,8 +21,10 @@ import ( var ( db *sql.DB // Global database connection c = cache.New(5*time.Minute, 10*time.Minute) - oauthAllowedHost = os.Getenv("OAUTH_ALLOWED_HOST") // URL authorized for device code + oauthAllowedHosts = strings.Split(os.Getenv("OAUTH_ALLOWED_HOSTS"), ",") // authorized HOSTS for device code oauthDeviceCodeAllowedIPs = strings.Split(os.Getenv("OAUTH_DEVICE_CODE_ALLOWED_IPS"), ",") // IPS autorisées pour /retrieve + _, localNetwork, _ = net.ParseCIDR("192.168.0.0/16") + _, k3sNetwork, _ = net.ParseCIDR("10.42.0.0/16") ) // dbConnection initializes the database connection. @@ -103,7 +105,7 @@ func indexHandler(w http.ResponseWriter, r *http.Request) { ` - fmt.Fprintf(w, tmpl) + fmt.Fprint(w, tmpl) } // selectHandler handles HTTP requests and executes a SQL query. @@ -151,7 +153,7 @@ func oauth2_callback(w http.ResponseWriter, r *http.Request) { // Vérifier le référent (ou origine) hostHeader := strings.Trim(r.Header.Get("X-Forwarded-Host"), "[]") - if oauthAllowedHost != "" && hostHeader != oauthAllowedHost { + if len(oauthAllowedHosts) > 0 && !slices.Contains(oauthAllowedHosts, hostHeader) { fmt.Fprintln(os.Stderr, "X-Forwarded-Host: "+hostHeader) fmt.Fprintln(os.Stderr, "received headers") for key, value := range r.Header { @@ -283,11 +285,12 @@ func oauth2_callback(w http.ResponseWriter, r *http.Request) { func retrieveHandler(w http.ResponseWriter, r *http.Request) { // Récupérer l'IP de l'utilisateur userIP, _, err := net.SplitHostPort(r.RemoteAddr) - userIPforwarded := r.Header.Get("X-Forwarded-For") + userIPforwarded := net.ParseIP(r.Header.Get("X-Forwarded-For")) if err != nil || - !slices.Contains(oauthDeviceCodeAllowedIPs, userIP) && - !slices.Contains(oauthDeviceCodeAllowedIPs, userIPforwarded) { - fmt.Fprintln(os.Stderr, "denied userIP: "+userIP+" forwarded: "+userIPforwarded) + !slices.Contains(oauthDeviceCodeAllowedIPs, userIPforwarded.String()) && + !localNetwork.Contains(userIPforwarded) && + !k3sNetwork.Contains(userIPforwarded) { + fmt.Fprintln(os.Stderr, "denied userIP: "+userIP+" forwarded: "+userIPforwarded.String()) fmt.Fprintf(os.Stderr, "alowed ips: %+v", oauthDeviceCodeAllowedIPs) // Parcourir tous les headers for name, values := range r.Header {