cleanup options, deny access to any .htpasswd files
This commit is contained in:
parent
9b0efdda00
commit
09fafbf6c4
11
main.go
11
main.go
@ -12,6 +12,7 @@ import (
|
|||||||
"os"
|
"os"
|
||||||
"path"
|
"path"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"golang.org/x/crypto/bcrypt"
|
"golang.org/x/crypto/bcrypt"
|
||||||
@ -25,8 +26,6 @@ var twFile = "empty-5.1.23.html"
|
|||||||
var tiddly embed.FS
|
var tiddly embed.FS
|
||||||
|
|
||||||
var (
|
var (
|
||||||
test bool
|
|
||||||
cacheDir string
|
|
||||||
davDir string
|
davDir string
|
||||||
listen string
|
listen string
|
||||||
passPath string
|
passPath string
|
||||||
@ -40,17 +39,14 @@ func init() {
|
|||||||
log.Fatalln(err)
|
log.Fatalln(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
flag.StringVar(&cacheDir, "cache", fmt.Sprintf("%s/.cache", dir), "Directory in which to store ACME certificates.")
|
|
||||||
flag.StringVar(&davDir, "davdir", dir, "Directory to serve over WebDAV.")
|
flag.StringVar(&davDir, "davdir", dir, "Directory to serve over WebDAV.")
|
||||||
flag.StringVar(&listen, "http", "127.0.0.1:8080", "Listen on")
|
flag.StringVar(&listen, "http", "127.0.0.1:8080", "Listen on")
|
||||||
flag.StringVar(&passPath, "htpass", fmt.Sprintf("%s/.htpasswd", dir), "Path to .htpasswd file..")
|
flag.StringVar(&passPath, "htpass", fmt.Sprintf("%s/.htpasswd", dir), "Path to .htpasswd file..")
|
||||||
flag.BoolVar(&test, "test", false, "Enable testing mode (uses staging LetsEncrypt).")
|
|
||||||
flag.Parse()
|
flag.Parse()
|
||||||
|
|
||||||
// These are OpenBSD specific protections used to prevent unnecessary file access.
|
// These are OpenBSD specific protections used to prevent unnecessary file access.
|
||||||
_ = protect.Unveil(passPath, "r")
|
_ = protect.Unveil(passPath, "r")
|
||||||
_ = protect.Unveil(davDir, "rwc")
|
_ = protect.Unveil(davDir, "rwc")
|
||||||
_ = protect.Unveil(cacheDir, "rwc")
|
|
||||||
_ = protect.Unveil("/etc/ssl/cert.pem", "r")
|
_ = protect.Unveil("/etc/ssl/cert.pem", "r")
|
||||||
_ = protect.Unveil("/etc/resolv.conf", "r")
|
_ = protect.Unveil("/etc/resolv.conf", "r")
|
||||||
_ = protect.Pledge("stdio wpath rpath cpath inet dns")
|
_ = protect.Pledge("stdio wpath rpath cpath inet dns")
|
||||||
@ -125,6 +121,11 @@ func main() {
|
|||||||
|
|
||||||
mux := http.NewServeMux()
|
mux := http.NewServeMux()
|
||||||
mux.HandleFunc("/", logger(func(w http.ResponseWriter, r *http.Request) {
|
mux.HandleFunc("/", logger(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
if strings.Contains(r.URL.Path, ".htpasswd") {
|
||||||
|
http.Error(w, "Unauthorized", http.StatusUnauthorized)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
user, pass, ok := r.BasicAuth()
|
user, pass, ok := r.BasicAuth()
|
||||||
if !(ok && authenticate(user, pass)) {
|
if !(ok && authenticate(user, pass)) {
|
||||||
w.Header().Set("WWW-Authenticate", `Basic realm="davfs"`)
|
w.Header().Set("WWW-Authenticate", `Basic realm="davfs"`)
|
||||||
|
Loading…
Reference in New Issue
Block a user