diff --git a/command/serve.go b/command/serve.go index 2869544..d1667b7 100644 --- a/command/serve.go +++ b/command/serve.go @@ -151,11 +151,42 @@ func (ph *ProxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { log.Debug().Str("remote_addr", r.RemoteAddr).Str("method", r.Method).Str("path", r.URL.Path).Msg("incoming request") mr, ok := containerMethodRegex["*"] if ok { - if err := checkMethodPath(r, mr); err != nil { - handleError(w, err) - log.Err(err).Send() + var req *regexp.Regexp + req, ok = mr[r.Method] + if !ok { + log.Error(). + Str("remote_addr", r.RemoteAddr). + Str("method", r.Method). + Str("path", r.URL.Path). + Str("decision", "denied"). + Msg("this HTTP method is not in the list of those authorized for this container") + http.Error(w, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed) return } + if !req.MatchString(r.URL.Path) { + log.Error(). + Str("remote_addr", r.RemoteAddr). + Str("method", r.Method). + Str("path", r.URL.Path). + Str("decision", "denied"). + Msg("this path does not match any regular expression for this HTTP method") + http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden) + return + } + log.Info(). + Str("remote_addr", r.RemoteAddr). + Str("method", r.Method). + Str("path", r.URL.Path). + Str("decision", "authorized"). + Msg("incoming request matches a registered regular expression") + return + /* + if err := checkMethodPath(r, mr); err != nil { + handleError(w, err) + log.Err(err).Send() + return + } + */ } else { var ( containerName string @@ -165,19 +196,45 @@ func (ph *ProxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { for containerName, mr = range containerMethodRegex { resolvedIPs, err := net.LookupIP(containerName) if err != nil { - log.Warn().Err(err).Msg("this error may be transient due to the unavailability of one of the services") + // log.Warn().Err(err).Msg("this error may be transient due to the unavailability of one of the services") + continue } for _, resolvedIP := range resolvedIPs { if resolvedIP.Equal(ip) { - if err = checkMethodPath(r, mr); err != nil { - handleError(w, err) - log.Err(err).Send() + var req *regexp.Regexp + req, ok = mr[r.Method] + if !ok { + log.Error(). + Str("remote_addr", r.RemoteAddr). + Str("method", r.Method). + Str("path", r.URL.Path). + Str("decision", "denied"). + Msg("this HTTP method is not in the list of those authorized for this container") + http.Error(w, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed) return } + if !req.MatchString(r.URL.Path) { + log.Error(). + Str("remote_addr", r.RemoteAddr). + Str("method", r.Method). + Str("path", r.URL.Path). + Str("decision", "denied"). + Msg("this path does not match any regular expression for this HTTP method") + http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden) + return + } + /* + if err = checkMethodPath(r, mr); err != nil { + handleError(w, err) + log.Err(err).Send() + return + } + */ log.Info(). Str("remote_addr", r.RemoteAddr). Str("method", r.Method). Str("path", r.URL.Path). + Str("decision", "authorized"). Str("from", containerName). Msg("incoming request matches a registered regular expression") ph.rp.ServeHTTP(w, r) @@ -185,9 +242,15 @@ func (ph *ProxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { } } } - http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden) - return } + log.Warn(). + Str("remote_addr", r.RemoteAddr). + Str("method", r.Method). + Str("path", r.URL.Path). + Str("decision", "denied"). + Msg("this error may be transient due to the unavailability of one of the services") + http.Error(w, http.StatusText(http.StatusServiceUnavailable), http.StatusServiceUnavailable) + return } // checkMethodPath executes the regular expression on the path of the HTTP request if and only if