HTTP proxy support for outgoing request, manage access to hidden service (#7134)
* Add support for HTTP client proxy * Add access control for darknet Supress error when access to darknet via transparent proxy * Fix the codes pointed out * Lint * Fix an omission + lint * any? -> include? * Change detection method to regexp to avoid test failgh/stable
parent
9d4710ed00
commit
f58dcbc981
|
@ -214,3 +214,10 @@ STREAMING_CLUSTER_NUM=1
|
||||||
# SAML_UID_ATTRIBUTE="urn:oid:0.9.2342.19200300.100.1.1"
|
# SAML_UID_ATTRIBUTE="urn:oid:0.9.2342.19200300.100.1.1"
|
||||||
# SAML_ATTRIBUTES_STATEMENTS_VERIFIED=
|
# SAML_ATTRIBUTES_STATEMENTS_VERIFIED=
|
||||||
# SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL=
|
# SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL=
|
||||||
|
|
||||||
|
# Use HTTP proxy for outgoing request (optional)
|
||||||
|
# http_proxy=http://gateway.local:8118
|
||||||
|
# Access control for hidden service.
|
||||||
|
# ALLOW_ACCESS_TO_HIDDEN_SERVICE=true
|
||||||
|
# If you use transparent proxy to access to hidden service, uncomment following for skipping private address check.
|
||||||
|
# HIDDEN_SERVICE_VIA_TRANSPARENT_PROXY=true
|
||||||
|
|
|
@ -11,9 +11,10 @@ class Request
|
||||||
def initialize(verb, url, **options)
|
def initialize(verb, url, **options)
|
||||||
@verb = verb
|
@verb = verb
|
||||||
@url = Addressable::URI.parse(url).normalize
|
@url = Addressable::URI.parse(url).normalize
|
||||||
@options = options.merge(socket_class: Socket)
|
@options = options.merge(use_proxy? ? Rails.configuration.x.http_client_proxy : { socket_class: Socket })
|
||||||
@headers = {}
|
@headers = {}
|
||||||
|
|
||||||
|
raise Mastodon::HostValidationError, 'Instance does not support hidden service connections' if block_hidden_service?
|
||||||
set_common_headers!
|
set_common_headers!
|
||||||
set_digest! if options.key?(:body)
|
set_digest! if options.key?(:body)
|
||||||
end
|
end
|
||||||
|
@ -99,6 +100,14 @@ class Request
|
||||||
@http_client ||= HTTP.timeout(:per_operation, timeout).follow(max_hops: 2)
|
@http_client ||= HTTP.timeout(:per_operation, timeout).follow(max_hops: 2)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def use_proxy?
|
||||||
|
Rails.configuration.x.http_client_proxy.present?
|
||||||
|
end
|
||||||
|
|
||||||
|
def block_hidden_service?
|
||||||
|
!Rails.configuration.x.access_to_hidden_service && /\.(onion|i2p)$/.match(@url.host)
|
||||||
|
end
|
||||||
|
|
||||||
module ClientLimit
|
module ClientLimit
|
||||||
def body_with_limit(limit = 1.megabyte)
|
def body_with_limit(limit = 1.megabyte)
|
||||||
raise Mastodon::LengthValidationError if content_length.present? && content_length > limit
|
raise Mastodon::LengthValidationError if content_length.present? && content_length > limit
|
||||||
|
@ -129,6 +138,7 @@ class Request
|
||||||
class Socket < TCPSocket
|
class Socket < TCPSocket
|
||||||
class << self
|
class << self
|
||||||
def open(host, *args)
|
def open(host, *args)
|
||||||
|
return super host, *args if thru_hidden_service? host
|
||||||
outer_e = nil
|
outer_e = nil
|
||||||
Addrinfo.foreach(host, nil, nil, :SOCK_STREAM) do |address|
|
Addrinfo.foreach(host, nil, nil, :SOCK_STREAM) do |address|
|
||||||
begin
|
begin
|
||||||
|
@ -142,6 +152,10 @@ class Request
|
||||||
end
|
end
|
||||||
|
|
||||||
alias new open
|
alias new open
|
||||||
|
|
||||||
|
def thru_hidden_service?(host)
|
||||||
|
Rails.configuration.x.hidden_service_via_transparent_proxy && /\.(onion|i2p)$/.match(host)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
Rails.application.configure do
|
||||||
|
config.x.http_client_proxy = {}
|
||||||
|
if ENV['http_proxy'].present?
|
||||||
|
proxy = URI.parse(ENV['http_proxy'])
|
||||||
|
raise "Unsupported proxy type: #{proxy.scheme}" unless %w(http https).include? proxy.scheme
|
||||||
|
raise "No proxy host" unless proxy.host
|
||||||
|
|
||||||
|
host = proxy.host
|
||||||
|
host = host[1...-1] if host[0] == '[' #for IPv6 address
|
||||||
|
config.x.http_client_proxy[:proxy] = { proxy_address: host, proxy_port: proxy.port, proxy_username: proxy.user, proxy_password: proxy.password }.compact
|
||||||
|
end
|
||||||
|
|
||||||
|
config.x.access_to_hidden_service = ENV['ALLOW_ACCESS_TO_HIDDEN_SERVICE'] == 'true'
|
||||||
|
config.x.hidden_service_via_transparent_proxy = ENV['HIDDEN_SERVICE_VIA_TRANSPARENT_PROXY'] == 'true'
|
||||||
|
end
|
||||||
|
|
||||||
|
module Goldfinger
|
||||||
|
def self.finger(uri, opts = {})
|
||||||
|
to_hidden = /\.(onion|i2p)(:\d+)?$/.match(uri)
|
||||||
|
raise Mastodon::HostValidationError, 'Instance does not support hidden service connections' if !Rails.configuration.x.access_to_hidden_service && to_hidden
|
||||||
|
opts = opts.merge(Rails.configuration.x.http_client_proxy).merge(ssl: !to_hidden)
|
||||||
|
Goldfinger::Client.new(uri, opts).finger
|
||||||
|
end
|
||||||
|
end
|
Reference in New Issue