From 9c9f2a128added4abd4a4497f9422e38594074aa Mon Sep 17 00:00:00 2001 From: Gustavo Ocanto Date: Wed, 10 Sep 2025 17:29:39 +0800 Subject: [PATCH 1/2] wip --- caddy/Caddyfile.prod | 10 ++++++++++ pkg/middleware/public_middleware.go | 11 ++++++----- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/caddy/Caddyfile.prod b/caddy/Caddyfile.prod index a9614925..cb7fc62a 100644 --- a/caddy/Caddyfile.prod +++ b/caddy/Caddyfile.prod @@ -25,6 +25,16 @@ oullin.io { format json } + route /api/generate-signature/* { + @allowed { + # Allow requests only from the VPS itself (localhost). + ip_range 127.0.0.1 ::1 + } + + # If the remote IP is not in the allowed range, abort the connection. + abort not @allowed + } + # API handler. # - Reverse-proxy all requests to the Go API, forwarding Host + auth headers. # - to: Tell Caddy which upstream to send to. diff --git a/pkg/middleware/public_middleware.go b/pkg/middleware/public_middleware.go index 790a6db6..a97f3b22 100644 --- a/pkg/middleware/public_middleware.go +++ b/pkg/middleware/public_middleware.go @@ -61,11 +61,12 @@ func (p PublicMiddleware) Handle(next http.ApiHandler) http.ApiHandler { return mwguards.RateLimitedError("Too many requests", "Too many requests for key: "+limiterKey) } - if err := p.HasInvalidIP(r); err != nil { - p.rateLimiter.Fail(limiterKey) - - return err - } + // @deprecated + //if err := p.HasInvalidIP(r); err != nil { + // p.rateLimiter.Fail(limiterKey) + // + // return err + //} vt := mwguards.NewValidTimestamp(ts, p.now) if err := vt.Validate(p.clockSkew, p.disallowFuture); err != nil { From 559b7b726364389c95c3cd308f9f0225df17ce41 Mon Sep 17 00:00:00 2001 From: Gustavo Ocanto Date: Wed, 10 Sep 2025 17:31:08 +0800 Subject: [PATCH 2/2] wip --- pkg/middleware/public_middleware.go | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/pkg/middleware/public_middleware.go b/pkg/middleware/public_middleware.go index a97f3b22..7481b754 100644 --- a/pkg/middleware/public_middleware.go +++ b/pkg/middleware/public_middleware.go @@ -61,13 +61,6 @@ func (p PublicMiddleware) Handle(next http.ApiHandler) http.ApiHandler { return mwguards.RateLimitedError("Too many requests", "Too many requests for key: "+limiterKey) } - // @deprecated - //if err := p.HasInvalidIP(r); err != nil { - // p.rateLimiter.Fail(limiterKey) - // - // return err - //} - vt := mwguards.NewValidTimestamp(ts, p.now) if err := vt.Validate(p.clockSkew, p.disallowFuture); err != nil { p.rateLimiter.Fail(limiterKey) @@ -90,20 +83,6 @@ func (p PublicMiddleware) Handle(next http.ApiHandler) http.ApiHandler { } } -func (p PublicMiddleware) HasInvalidIP(r *baseHttp.Request) *http.ApiError { - ip := portal.ParseClientIP(r) - - if ip == "" { - return mwguards.InvalidRequestError("Clients IPs are required to access this endpoint", "") - } - - if p.isProduction && ip != p.allowedIP { - return mwguards.InvalidRequestError("The given IP is not allowed", "unauthorised ip: "+ip) - } - - return nil -} - func (p PublicMiddleware) GuardDependencies() *http.ApiError { missing := []string{}