Add support for blocking access to our handlers.

Nginx side of the fix for apache/incubator-pagespeed-mod#1088
apache · Nov 16, 2015 · b966bde · b966bde
1 parent 634b813
commit b966bde
Show file tree

Hide file tree

Showing 3 changed files with 105 additions and 6 deletions.
diff --git a/src/ngx_pagespeed.cc b/src/ngx_pagespeed.cc
@@ -1650,23 +1650,29 @@ RequestRouting::Response ps_route_request(ngx_http_request_t* r) {
   const NgxRewriteOptions* global_options = cfg_s->server_context->config();
 
   StringPiece path = url.PathSansQuery();
-  if (StringCaseEqual(path, global_options->statistics_path())) {
+  if (StringCaseEqual(path, global_options->statistics_path()) &&
+      global_options->StatisticsAccessAllowed(url)) {
     return RequestRouting::kStatistics;
-  } else if (StringCaseEqual(path, global_options->global_statistics_path())) {
+  } else if (StringCaseEqual(path, global_options->global_statistics_path()) &&
+             global_options->GlobalStatisticsAccessAllowed(url)) {
     return RequestRouting::kGlobalStatistics;
-  } else if (StringCaseEqual(path, global_options->console_path())) {
+  } else if (StringCaseEqual(path, global_options->console_path()) &&
+             global_options->ConsoleAccessAllowed(url)) {
     return RequestRouting::kConsole;
-  } else if (StringCaseEqual(path, global_options->messages_path())) {
+  } else if (StringCaseEqual(path, global_options->messages_path()) &&
+             global_options->MessagesAccessAllowed(url)) {
     return RequestRouting::kMessages;
   } else if (
       // The admin handlers get everything under a path (/path/*) while all the
       // other handlers only get exact matches (/path).  So match all paths
       // starting with the handler path.
       !global_options->admin_path().empty() &&
-      StringCaseStartsWith(path, global_options->admin_path())) {
+      StringCaseStartsWith(path, global_options->admin_path()) &&
+      global_options->AdminAccessAllowed(url)) {
     return RequestRouting::kAdmin;
   } else if (!global_options->global_admin_path().empty() &&
-             StringCaseStartsWith(path, global_options->global_admin_path())) {
+             StringCaseStartsWith(path, global_options->global_admin_path()) &&
+             global_options->GlobalAdminAccessAllowed(url)) {
     return RequestRouting::kGlobalAdmin;
   } else if (global_options->enable_cache_purge() &&
              !global_options->purge_method().empty() &&

diff --git a/test/nginx_system_test.sh b/test/nginx_system_test.sh
@@ -300,6 +300,9 @@ fi
 
 PSA_JS_LIBRARY_URL_PREFIX="pagespeed_custom_static"
 BEACON_HANDLER="ngx_pagespeed_beacon"
+STATISTICS_HANDLER="ngx_pagespeed_statistics"
+GLOBAL_STATISTICS_HANDLER="ngx_pagespeed_global_statistics"
+MESSAGES_HANDLER="ngx_pagespeed_message"
 STATISTICS_URL=http://$PRIMARY_HOSTNAME/ngx_pagespeed_statistics
 
 # An expected failure can be indicated like: "~In-place resource optimization~"

diff --git a/test/pagespeed_test.conf.template b/test/pagespeed_test.conf.template
@@ -24,6 +24,9 @@ http {
                    '"$http_user_agent"';
   access_log "@@ACCESS_LOG@@" cache;
 
+  # Don't put entries in the error log for 403s and 404s.
+  log_not_found off;
+
   proxy_cache_path "@@PROXY_CACHE@@"  levels=1:2   keys_zone=htmlcache:60m inactive=90m  max_size=50m;
   proxy_temp_path "@@TMP_PROXY_CACHE@@";
 
@@ -816,13 +819,27 @@ http {
     pagespeed ConsolePath /custom_pagespeed_console;
     pagespeed MessagesPath /custom_pagespeed_message;
     pagespeed AdminPath /custom_pagespeed_admin;
+
+    pagespeed StatisticsDomains Allow *;
+    pagespeed GlobalStatisticsDomains Allow *;
+    pagespeed MessagesDomains Allow *;
+    pagespeed ConsoleDomains Allow *;
+    pagespeed AdminDomains Allow *;
+    pagespeed GlobalAdminDomains Allow *;
   }
 
   server {
     listen @@SECONDARY_PORT@@;
     listen [::]:@@SECONDARY_PORT@@;
     server_name inherit-paths.example.com;
     pagespeed FileCachePath "@@FILE_CACHE@@";
+
+    pagespeed StatisticsDomains Allow *;
+    pagespeed GlobalStatisticsDomains Allow *;
+    pagespeed MessagesDomains Allow *;
+    pagespeed ConsoleDomains Allow *;
+    pagespeed AdminDomains Allow *;
+    pagespeed GlobalAdminDomains Allow *;
   }
 
   server {
@@ -1336,6 +1353,79 @@ http {
     }
   }
 
+  pagespeed MessagesDomains Allow messages-allowed.example.com;
+  pagespeed MessagesDomains Allow cleared-inherited.example.com;
+  pagespeed MessagesDomains Allow cleared-inherited-reallowed.example.com;
+  pagespeed MessagesDomains Allow more-messages-allowed.example.com;
+  pagespeed MessagesDomains Allow anything-*-wildcard.example.com;
+  pagespeed MessagesDomains Allow localhost;
+
+  server {
+    listen @@SECONDARY_PORT@@;
+    listen [::]:@@SECONDARY_PORT@@;
+    server_name messages-allowed.example.com
+                messages-not-allowed.example.com
+                more-messages-allowed.example.com
+                anything-a-wildcard.example.com
+                anything-b-wildcard.example.com;
+    pagespeed FileCachePath "@@FILE_CACHE@@";
+  }
+  server {
+    listen @@SECONDARY_PORT@@;
+    listen [::]:@@SECONDARY_PORT@@;
+    server_name messages-still-not-allowed.example.com
+                but-this-message-allowed.example.com
+                and-this-one.example.com;
+    pagespeed MessagesDomains Allow but-this-message-allowed.example.com;
+    pagespeed MessagesDomains Allow and-this-one.example.com;
+    pagespeed FileCachePath "@@FILE_CACHE@@";
+  }
+  server {
+    listen @@SECONDARY_PORT@@;
+    listen [::]:@@SECONDARY_PORT@@;
+    server_name cleared-inherited.example.com
+                cleared-inherited-reallowed.example.com
+                messages-allowed-at-vhost.example.com
+                messages-not-allowed-at-vhost.example.com
+                anything-c-wildcard.example.com;
+    pagespeed MessagesDomains Disallow *;
+    pagespeed MessagesDomains Allow cleared-inherited-reallowed.example.com;
+    pagespeed MessagesDomains Allow messages-allowed-at-vhost.example.com;
+    pagespeed FileCachePath "@@FILE_CACHE@@";
+  }
+  server {
+    listen @@SECONDARY_PORT@@;
+    listen [::]:@@SECONDARY_PORT@@;
+    server_name cleared-inherited-unlisted.example.com;
+    pagespeed MessagesDomains Allow *;
+    pagespeed FileCachePath "@@FILE_CACHE@@";
+  }
+  server {
+    server_name nothing-allowed.example.com;
+    pagespeed MessagesDomains Disallow *;
+    pagespeed FileCachePath "@@FILE_CACHE@@";
+  }
+  server {
+    server_name nothing-explicitly-allowed.example.com;
+    pagespeed FileCachePath "@@FILE_CACHE@@";
+  }
+  server {
+    listen @@SECONDARY_PORT@@;
+    listen [::]:@@SECONDARY_PORT@@;
+    server_name everything-explicitly-allowed.example.com
+                everything-explicitly-allowed-but-aliased.example.com;
+    pagespeed FileCachePath "@@FILE_CACHE@@";
+
+    pagespeed StatisticsDomains Allow everything-explicitly-allowed.example.com;
+    pagespeed GlobalStatisticsDomains
+      Allow everything-explicitly-allowed.example.com;
+    pagespeed MessagesDomains Allow everything-explicitly-allowed.example.com;
+    pagespeed ConsoleDomains Allow everything-explicitly-allowed.example.com;
+    pagespeed AdminDomains Allow everything-explicitly-allowed.example.com;
+    pagespeed GlobalAdminDomains
+     Allow everything-explicitly-allowed.example.com;
+  }
+
   server {
     listen @@PRIMARY_PORT@@;
     listen [::]:@@PRIMARY_PORT@@;