proxy: add ALLOWED_HOSTS env var

will setup caddy to check if the Host-header matches one of the space delimited fields in ALLOWED_HOSTS. Or do no such thing if ALLOWED_HOSTS is not set.
2021-12-22 12:42:46 +01:00 · 2021-12-22 12:42:46 +01:00 · ba74f33e68
parent b2741c782e
commit ba74f33e68
2 changed files with 31 additions and 0 deletions
--- a/proxy/caddy_base.json
+++ b/proxy/caddy_base.json
@ -24,6 +24,27 @@
          "listen": [":8000"],
          "allow_h2c": true,
          "routes": [
+            {
+              "handle": [
+                {
+                  "body": "Misdirected Request",
+                  "close": true,
+                  "handler": "static_response",
+                  "status_code": 421
+                }
+              ],
+              "match": [
+                {
+                  "not": [
+                    {
+                      "header": {
+                        "Host": []
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
            {
              "handle": [
                {
--- a/proxy/entrypoint
+++ b/proxy/entrypoint
@ -8,6 +8,7 @@ HTTPS_CERT_FILE="${HTTPS_CERT_FILE:-/certs/cert.pem}"
 HTTPS_KEY_FILE="${HTTPS_KEY_FILE:-/certs/key.pem}"

 cp $base $config
+
 # set defaults in base
 ACTION_HOST="${ACTION_HOST:-backend}" ACTION_PORT="${ACTION_PORT:-9002}" \
 PRESENTER_HOST="${PRESENTER_HOST:-backend}" PRESENTER_PORT="${PRESENTER_PORT:-9003}" \
@ -53,4 +54,13 @@ else
  fi
 fi

+### ALLOWED HOSTS ###
+if [ -n "$ALLOWED_HOSTS" ]; then
+  for host in $ALLOWED_HOSTS; do
+    jq_write ".apps.http.servers.srv0.routes[0].match[0].not[0].header.Host += [\"$host\"]"
+  done
+else
+  jq_write "del(.apps.http.servers.srv0.routes[0])"
+fi
+
 exec "$@"