mirror of
				https://codeberg.org/yeentown/barkey.git
				synced 2025-10-23 09:44:51 +00:00 
			
		
		
		
	improve YAML syntax for defining allowed IPs
This commit is contained in:
		
							parent
							
								
									fb63167d85
								
							
						
					
					
						commit
						5116586d79
					
				
					 5 changed files with 113 additions and 24 deletions
				
			
		|  | @ -321,9 +321,24 @@ attachLdSignatureForRelays: true | |||
| # For security reasons, uploading attachments from the intranet is prohibited, | ||||
| # but exceptions can be made from the following settings. Default value is "undefined". | ||||
| # Read changelog to learn more (Improvements of 12.90.0 (2021/09/04)). | ||||
| #allowedPrivateNetworks: [ | ||||
| #  '127.0.0.1/32' | ||||
| #] | ||||
| # Some example configurations: | ||||
| #allowedPrivateNetworks: | ||||
| #  # Allow connections to 127.0.0.1 on any port | ||||
| #  - '127.0.0.1/32' | ||||
| #  # Allow connections to 127.0.0.* on any port | ||||
| #  - '127.0.0.1/24' | ||||
| #  # Allow connections to 127.0.0.1 on any port | ||||
| #  - '127.0.0.1' | ||||
| #  # Allow connections to 127.0.0.1 on any port | ||||
| #  - network: '127.0.0.1' | ||||
| #  # Allow connections to 127.0.0.1 on port 80 | ||||
| #  - network: '127.0.0.1' | ||||
| #    ports: [80] | ||||
| #  # Allow connections to 127.0.0.1 on port 80 or 443 | ||||
| #  - network: '127.0.0.1' | ||||
| #    ports: | ||||
| #      - 80 | ||||
| #      - 443 | ||||
| 
 | ||||
| #customMOTD: ['Hello World', 'The sharks rule all', 'Shonks'] | ||||
| 
 | ||||
|  |  | |||
|  | @ -269,9 +269,27 @@ proxyRemoteFiles: true | |||
| # Sign to ActivityPub GET request (default: true) | ||||
| signToActivityPubGet: true | ||||
| 
 | ||||
| allowedPrivateNetworks: [ | ||||
|   '127.0.0.1/32' | ||||
| ] | ||||
| # For security reasons, uploading attachments from the intranet is prohibited, | ||||
| # but exceptions can be made from the following settings. Default value is "undefined". | ||||
| # Read changelog to learn more (Improvements of 12.90.0 (2021/09/04)). | ||||
| # Some example configurations: | ||||
| allowedPrivateNetworks: | ||||
|   # Allow connections to 127.0.0.1 on any port | ||||
|   - '127.0.0.1/32' | ||||
| #  # Allow connections to 127.0.0.* on any port | ||||
| #  - '127.0.0.1/24' | ||||
| #  # Allow connections to 127.0.0.1 on any port | ||||
| #  - '127.0.0.1' | ||||
| #  # Allow connections to 127.0.0.1 on any port | ||||
| #  - network: '127.0.0.1' | ||||
| #  # Allow connections to 127.0.0.1 on port 80 | ||||
| #  - network: '127.0.0.1' | ||||
| #    ports: [80] | ||||
| #  # Allow connections to 127.0.0.1 on port 80 or 443 | ||||
| #  - network: '127.0.0.1' | ||||
| #    ports: | ||||
| #      - 80 | ||||
| #      - 443 | ||||
| 
 | ||||
| # Disable automatic redirect for ActivityPub object lookup. (default: false) | ||||
| # This is a strong defense against potential impersonation attacks if the viewer instance has inadequate validation. | ||||
|  |  | |||
|  | @ -378,9 +378,24 @@ attachLdSignatureForRelays: true | |||
| # For security reasons, uploading attachments from the intranet is prohibited, | ||||
| # but exceptions can be made from the following settings. Default value is "undefined". | ||||
| # Read changelog to learn more (Improvements of 12.90.0 (2021/09/04)). | ||||
| #allowedPrivateNetworks: [ | ||||
| #  '127.0.0.1/32' | ||||
| #] | ||||
| # Some example configurations: | ||||
| #allowedPrivateNetworks: | ||||
| #  # Allow connections to 127.0.0.1 on any port | ||||
| #  - '127.0.0.1/32' | ||||
| #  # Allow connections to 127.0.0.* on any port | ||||
| #  - '127.0.0.1/24' | ||||
| #  # Allow connections to 127.0.0.1 on any port | ||||
| #  - '127.0.0.1' | ||||
| #  # Allow connections to 127.0.0.1 on any port | ||||
| #  - network: '127.0.0.1' | ||||
| #  # Allow connections to 127.0.0.1 on port 80 | ||||
| #  - network: '127.0.0.1' | ||||
| #    ports: [80] | ||||
| #  # Allow connections to 127.0.0.1 on port 80 or 443 | ||||
| #  - network: '127.0.0.1' | ||||
| #    ports: | ||||
| #      - 80 | ||||
| #      - 443 | ||||
| 
 | ||||
| #customMOTD: ['Hello World', 'The sharks rule all', 'Shonks'] | ||||
| 
 | ||||
|  |  | |||
|  | @ -381,9 +381,24 @@ attachLdSignatureForRelays: true | |||
| # For security reasons, uploading attachments from the intranet is prohibited, | ||||
| # but exceptions can be made from the following settings. Default value is "undefined". | ||||
| # Read changelog to learn more (Improvements of 12.90.0 (2021/09/04)). | ||||
| #allowedPrivateNetworks: [ | ||||
| #  '127.0.0.1/32' | ||||
| #] | ||||
| # Some example configurations: | ||||
| #allowedPrivateNetworks: | ||||
| #  # Allow connections to 127.0.0.1 on any port | ||||
| #  - '127.0.0.1/32' | ||||
| #  # Allow connections to 127.0.0.* on any port | ||||
| #  - '127.0.0.1/24' | ||||
| #  # Allow connections to 127.0.0.1 on any port | ||||
| #  - '127.0.0.1' | ||||
| #  # Allow connections to 127.0.0.1 on any port | ||||
| #  - network: '127.0.0.1' | ||||
| #  # Allow connections to 127.0.0.1 on port 80 | ||||
| #  - network: '127.0.0.1' | ||||
| #    ports: [80] | ||||
| #  # Allow connections to 127.0.0.1 on port 80 or 443 | ||||
| #  - network: '127.0.0.1' | ||||
| #    ports: | ||||
| #      - 80 | ||||
| #      - 443 | ||||
| 
 | ||||
| #customMOTD: ['Hello World', 'The sharks rule all', 'Shonks'] | ||||
| 
 | ||||
|  |  | |||
|  | @ -84,7 +84,7 @@ type Source = { | |||
| 	proxySmtp?: string; | ||||
| 	proxyBypassHosts?: string[]; | ||||
| 
 | ||||
| 	allowedPrivateNetworks?: string[]; | ||||
| 	allowedPrivateNetworks?: PrivateNetworkSource[]; | ||||
| 	disallowExternalApRedirect?: boolean; | ||||
| 
 | ||||
| 	maxFileSize?: number; | ||||
|  | @ -154,11 +154,13 @@ type Source = { | |||
| 	} | ||||
| }; | ||||
| 
 | ||||
| export type PrivateNetworkSource = string | { ip?: string, ports?: number[] }; | ||||
| 
 | ||||
| export type PrivateNetwork = { | ||||
| 	/** | ||||
| 	 * CIDR IP/netmask definition of the IP range to match. | ||||
| 	 */ | ||||
| 	cidr: [ip: IPv4 | IPv6, mask: number]; | ||||
| 	cidr: CIDR; | ||||
| 
 | ||||
| 	/** | ||||
| 	 * List of ports to match. | ||||
|  | @ -168,17 +170,41 @@ export type PrivateNetwork = { | |||
| 	ports?: number[]; | ||||
| }; | ||||
| 
 | ||||
| export function parsePrivateNetworks(patterns: string[]): PrivateNetwork[]; | ||||
| export type CIDR = [ip: IPv4 | IPv6, mask: number]; | ||||
| 
 | ||||
| export function parsePrivateNetworks(patterns: PrivateNetworkSource[]): PrivateNetwork[]; | ||||
| export function parsePrivateNetworks(patterns: undefined): undefined; | ||||
| export function parsePrivateNetworks(patterns: string[] | undefined): PrivateNetwork[] | undefined; | ||||
| export function parsePrivateNetworks(patterns: string[] | undefined): PrivateNetwork[] | undefined { | ||||
| 	return patterns?.map(e => { | ||||
| 		const [ip, ports] = e.split('#') as [string, ...(string | undefined)[]]; | ||||
| 		return { | ||||
| 			cidr: ipaddr.parseCIDR(ip), | ||||
| 			ports: ports?.split(',').map(p => parseInt(p)), | ||||
| 		}; | ||||
| 	}); | ||||
| export function parsePrivateNetworks(patterns: PrivateNetworkSource[] | undefined): PrivateNetwork[] | undefined; | ||||
| export function parsePrivateNetworks(patterns: PrivateNetworkSource[] | undefined): PrivateNetwork[] | undefined { | ||||
| 	if (!patterns) return undefined; | ||||
| 	return patterns | ||||
| 		.map(e => { | ||||
| 			if (typeof(e) === 'string') { | ||||
| 				const cidr = parseIpOrMask(e); | ||||
| 				if (cidr) { | ||||
| 					return { cidr } satisfies PrivateNetwork; | ||||
| 				} | ||||
| 			} else if (e.ip) { | ||||
| 				const cidr = parseIpOrMask(e.ip); | ||||
| 				if (cidr) { | ||||
| 					return { cidr, ports: e.ports } satisfies PrivateNetwork; | ||||
| 				} | ||||
| 			} | ||||
| 
 | ||||
| 			console.warn('[config] Skipping invalid entry in allowedPrivateNetworks: ', e); | ||||
| 			return null; | ||||
| 		}) | ||||
| 		.filter(p => p != null); | ||||
| } | ||||
| 
 | ||||
| function parseIpOrMask(ipOrMask: string): CIDR | null { | ||||
| 	if (ipaddr.isValidCIDR(ipOrMask)) { | ||||
| 		return ipaddr.parseCIDR(ipOrMask); | ||||
| 	} | ||||
| 	if (ipaddr.isValid(ipOrMask)) { | ||||
| 		return ipaddr.parseCIDR(ipOrMask); | ||||
| 	} | ||||
| 	return null; | ||||
| } | ||||
| 
 | ||||
| export type Config = { | ||||
|  |  | |||
		Loading…
	
	Add table
		
		Reference in a new issue