Make some more fixes to prod

This commit is contained in:
Justine Tunney 2022-10-19 13:10:00 -07:00
parent 69bee64a59
commit da336b3ea8
No known key found for this signature in database
GPG key ID: BE714B4575D6E328
6 changed files with 90 additions and 28 deletions

View file

@ -24,6 +24,6 @@
*/
bool IsTestnetIp(uint32_t x) {
return (((x & 0xFFFFFF00u) == 0xC0000200u) /* 192.0.2.0/24 */ ||
((x & 0xFFFFFF00u) == 0xC0000200u) /* 198.51.100.0/24 */ ||
((x & 0xFFFFFF00u) == 0x0c6336400) /* 198.51.100.0/24 */ ||
((x & 0xFFFFFF00u) == 0xCB007100u) /* 203.0.113.0/24 */);
}

View file

@ -18,7 +18,6 @@ RELAY_HEADERS_TO_CLIENT = {
'Content-Type',
'Last-Modified',
'Referrer-Policy',
'Vary',
}
function OnServerStart()
@ -30,10 +29,27 @@ function OnWorkerStart()
assert(unix.setrlimit(unix.RLIMIT_RSS, 2*1024*1024))
assert(unix.setrlimit(unix.RLIMIT_CPU, 2))
assert(unix.unveil(nil, nil))
assert(unix.pledge("stdio inet", nil, unix.PLEDGE_PENALTY_RETURN_EPERM))
assert(unix.pledge("stdio inet unix", nil, unix.PLEDGE_PENALTY_RETURN_EPERM))
end
function OnHttpRequest()
local ip = GetClientAddr()
if not IsTrustedIp(ip) then
local tok = AcquireToken(ip)
if tok < 2 then
if Blackhole(ip) then
Log(kLogWarn, "banned %s" % {FormatIp(ip)})
else
Log(kLogWarn, "failed to ban %s" % {FormatIp(ip)})
end
end
if tok < 30 then
ServeError(429)
SetHeader('Connection', 'close')
Log(kLogWarn, "warned %s who has %d tokens" % {FormatIp(ip), tok})
return
end
end
local url = 'http://127.0.0.1' .. EscapePath(GetPath())
local name = GetParam('name')
if name then
@ -49,7 +65,7 @@ function OnHttpRequest()
['Referer'] = GetHeader('Referer'),
['Sec-CH-UA-Platform'] = GetHeader('Sec-CH-UA-Platform'),
['User-Agent'] = GetHeader('User-Agent'),
['X-Forwarded-For'] = FormatIp(GetClientAddr())}})
['X-Forwarded-For'] = FormatIp(ip)}})
if status then
SetStatus(status)
for k,v in pairs(RELAY_HEADERS_TO_CLIENT) do

View file

@ -46,6 +46,7 @@
#include "libc/sysv/consts/timer.h"
#include "libc/time/struct/tm.h"
#include "net/http/http.h"
#include "net/http/ip.h"
#include "third_party/getopt/getopt.h"
#include "third_party/musl/passwd.h"
@ -355,7 +356,7 @@ void WritePid(void) {
bool IsMyIp(uint32_t ip) {
uint32_t *p;
for (p = g_myips; *p; ++p) {
if (ip == *p) {
if (ip == *p && !IsTestnetIp(ip)) {
return true;
}
}

View file

@ -1029,8 +1029,6 @@ void *HttpWorker(void *arg) {
"Cache-Control: max-age=3600, private\r\n"
"Date: ");
p = FormatDate(p);
p = stpcpy(p, "\r\nX-Token-Count: ");
p = FormatInt32(p, CountTokens(g_tok.b, ip, TB_CIDR));
p = stpcpy(p, "\r\nContent-Length: ");
p = FormatInt32(p, strlen(ipbuf));
p = stpcpy(p, "\r\n\r\n");