added blocking self-revealing proxies

enabled by default in the config
2022-06-10 20:06:41 +02:00 · 2022-06-10 20:06:41 +02:00 · bf733806b9
commit bf733806b9
parent 07e36cd2d3
2 changed files with 37 additions and 4 deletions
--- a/server.js
+++ b/server.js
@ -150,8 +150,6 @@ function unsign(text,req,res) {
  let ip = req.socket.remoteAddress
  let unsigned = signature.unsign(text,cookiesecret+ip)
  if(!unsigned) {
-    res.status(400)
-    res.json({"error":"Bad auth cookie set"})
    return false
  }
  return unsigned
@ -165,7 +163,13 @@ function getunsigned(req,res) {
    return
  }
  let unsigned = unsign(cookie,req,res)
-  if(!unsigned)return
+  if(!unsigned){
+    try {
+      res.status(400)
+      res.json({"error":"Bad auth cookie set"})
+    } catch (ignored) {} //sometimes it errors, gotta debug soon
+    return false
+  }
  return decodeURIComponent(unsigned)
 }

@ -281,8 +285,36 @@ app.use(cookieParser(cookiesecret));
 // })
 //maybe someone wants it?

+var blocked_headers = [
+  'HTTP_VIA',
+  'HTTP_X_FORWARDED_FOR',
+  'HTTP_FORWARDED_FOR',
+  'HTTP_X_FORWARDED',
+  'HTTP_FORWARDED',
+  'HTTP_CLIENT_IP',
+  'HTTP_FORWARDED_FOR_IP',
+  'VIA',
+  'X_FORWARDED_FOR',
+  'FORWARDED_FOR',
+  'X_FORWARDED',
+  'FORWARDED',
+  'CLIENT_IP',
+  'FORWARDED_FOR_IP',
+  'HTTP_PROXY_CONNECTION'
+]
+
+if(!config.disallow_proxies_by_headers) {
+  blocked_headers = []
+}
+
 app.use("/*",function(req,res,next){
  res.set("x-powered-by","ZeroTwoHub")
+  for (let i = 0; i < blocked_headers.length; i++) {
+    if(req.header(blocked_headers[i])!=undefined) {
+      res.json({"error":"we don't allow proxies on our website."})
+      return
+    }
+  }
  next()
 })

--- a/server_config.json
+++ b/server_config.json
@ -23,5 +23,6 @@
  },
  "logs": {
    "level": 5
-  }
+  },
+  "disallow_proxies_by_headers": true
 }