ThatGuyJack/nginx-proxy-manager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2025-08-04 16:33:32 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Add drop_unauthorized parameter to proxy hosts

Browse Source 
drop_unauthorized returns 444 when a client is not authorized as opposed
to 403. It can be used with Client Certificate authorization.
This commit is contained in:
Will Rouesnel
2023-05-29 14:43:11 +10:00
parent f601105776
commit 6cf91a2e70
11 changed files with 85 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
backend/doc/api.swagger.json
View File

@@ -82,6 +82,7 @@
"ssl_forced": 0, "ssl_forced": 0,
"caching_enabled": 0, "caching_enabled": 0,
"block_exploits": 0, "block_exploits": 0,
"drop_unauthorized": 0,
"advanced_config": "sdfsdfsdf", "advanced_config": "sdfsdfsdf",
"meta": { "meta": {
"letsencrypt_agree": false, "letsencrypt_agree": false,
@@ -124,6 +125,7 @@
"ssl_forced": 0, "ssl_forced": 0,
"caching_enabled": 0, "caching_enabled": 0,
"block_exploits": 0, "block_exploits": 0,
"drop_unauthorized": 0,
"advanced_config": "", "advanced_config": "",
"meta": { "meta": {
"letsencrypt_agree": false, "letsencrypt_agree": false,
@@ -204,6 +206,7 @@
"ssl_forced": 0, "ssl_forced": 0,
"caching_enabled": 0, "caching_enabled": 0,
"block_exploits": 0, "block_exploits": 0,
"drop_unauthorized": 0,
"advanced_config": "", "advanced_config": "",
"meta": { "meta": {
"letsencrypt_agree": false, "letsencrypt_agree": false,
@@ -1117,6 +1120,7 @@
"ssl_forced", "ssl_forced",
"caching_enabled", "caching_enabled",
"block_exploits", "block_exploits",
"drop_unauthorized",
"advanced_config", "advanced_config",
"meta", "meta",
"allow_websocket_upgrade", "allow_websocket_upgrade",
@@ -1184,6 +1188,9 @@
"block_exploits": { "block_exploits": {
"type": "integer" "type": "integer"
}, },
"drop_unauthorized": {
"type": "integer"
},
"advanced_config": { "advanced_config": {
"type": "string" "type": "string"
}, },

8
backend/internal/nginx.js
View File

@@ -153,7 +153,7 @@ const internalNginx = {
const locationRendering = async () => { const locationRendering = async () => {
for (let i = 0; i < host.locations.length; i++) { for (let i = 0; i < host.locations.length; i++) {
let locationCopy = Object.assign({}, {access_list_id: host.access_list_id}, {certificate_id: host.certificate_id}, let locationCopy = Object.assign({}, {access_list_id: host.access_list_id}, {certificate_id: host.certificate_id},
{ssl_forced: host.ssl_forced}, {caching_enabled: host.caching_enabled}, {block_exploits: host.block_exploits}, {ssl_forced: host.ssl_forced}, {caching_enabled: host.caching_enabled}, {block_exploits: host.block_exploits}, {drop_unauthorized: host.drop_unauthorized},
{allow_websocket_upgrade: host.allow_websocket_upgrade}, {http2_support: host.http2_support}, {allow_websocket_upgrade: host.allow_websocket_upgrade}, {http2_support: host.http2_support},
{hsts_enabled: host.hsts_enabled}, {hsts_subdomains: host.hsts_subdomains}, {access_list: host.access_list}, {hsts_enabled: host.hsts_enabled}, {hsts_subdomains: host.hsts_subdomains}, {access_list: host.access_list},
{certificate: host.certificate}, host.locations[i]); {certificate: host.certificate}, host.locations[i]);
@@ -205,6 +205,12 @@ const internalNginx = {
let origLocations; let origLocations;
// Manipulate the data a bit before sending it to the template // Manipulate the data a bit before sending it to the template
if (typeof host.drop_unauthorized === 'undefined') {
// Only proxy-hosts can have drop_unauthorized, but all hosts share
// the templates.
host.drop_unauthorized = 0;
}
if (nice_host_type !== 'default') { if (nice_host_type !== 'default') {
host.use_default_location = true; host.use_default_location = true;
if (typeof host.advanced_config !== 'undefined' && host.advanced_config) { if (typeof host.advanced_config !== 'undefined' && host.advanced_config) {

39
backend/migrations/20230529030411_add_drop_unauthorized_to_proxyhosts.js Normal file
View File

@@ -0,0 +1,39 @@
const migrate_name = 'drop_unauthorized';
const logger = require('../logger').migrate;
/**
* Migrate
*
* @see http://knexjs.org/#Schema
*
* @param {Object} knex
* @param {Promise} Promise
* @returns {Promise}
*/
exports.up = function (knex/*, Promise*/) {
logger.info('[' + migrate_name + '] Migrating Up...');
return knex.schema.table('proxy_host', function(proxy_host) {
proxy_host.integer('drop_unauthorized').notNull().unsigned().defaultTo(0);
}).then(() =>{
logger.info('[' + migrate_name + '] Migrating Up Complete');
});
};
/**
* Undo Migrate
*
* @param {Object} knex
* @param {Promise} Promise
* @returns {Promise}
*/
exports.down = function (knex/*, Promise*/) {
logger.info('[' + migrate_name + '] Migrating Down...');
return knex.schema.table('proxy_host', function(proxy_host) {
proxy_host.dropColumn('drop_unauthorized');
}).then(() =>{
logger.info('[' + migrate_name + '] Migrating Up Complete');
});
};

5
backend/schema/definitions.json
View File

@@ -231,6 +231,11 @@
"example": true, "example": true,
"type": "boolean" "type": "boolean"
}, },
"drop_unauthorized": {
"description": "Close TCP connection with no response when authorization fails",
"example": true,
"type": "boolean"
},
"caching_enabled": { "caching_enabled": {
"description": "Should we cache assets", "description": "Should we cache assets",
"example": true, "example": true,

12
backend/schema/endpoints/proxy-hosts.json
View File

@@ -50,6 +50,9 @@
"block_exploits": { "block_exploits": {
"$ref": "../definitions.json#/definitions/block_exploits" "$ref": "../definitions.json#/definitions/block_exploits"
}, },
"drop_unauthorized": {
"$ref": "../definitions.json#/definitions/drop_unauthorized"
},
"caching_enabled": { "caching_enabled": {
"$ref": "../definitions.json#/definitions/caching_enabled" "$ref": "../definitions.json#/definitions/caching_enabled"
}, },
@@ -149,6 +152,9 @@
"block_exploits": { "block_exploits": {
"$ref": "#/definitions/block_exploits" "$ref": "#/definitions/block_exploits"
}, },
"drop_unauthorized": {
"$ref": "#/definitions/drop_unauthorized"
},
"caching_enabled": { "caching_enabled": {
"$ref": "#/definitions/caching_enabled" "$ref": "#/definitions/caching_enabled"
}, },
@@ -239,6 +245,9 @@
"block_exploits": { "block_exploits": {
"$ref": "#/definitions/block_exploits" "$ref": "#/definitions/block_exploits"
}, },
"drop_unauthorized": {
"$ref": "#/definitions/drop_unauthorized"
},
"caching_enabled": { "caching_enabled": {
"$ref": "#/definitions/caching_enabled" "$ref": "#/definitions/caching_enabled"
}, },
@@ -312,6 +321,9 @@
"block_exploits": { "block_exploits": {
"$ref": "#/definitions/block_exploits" "$ref": "#/definitions/block_exploits"
}, },
"drop_unauthorized": {
"$ref": "#/definitions/drop_unauthorized"
},
"caching_enabled": { "caching_enabled": {
"$ref": "#/definitions/caching_enabled" "$ref": "#/definitions/caching_enabled"
}, },

2
backend/templates/_access.conf
View File

@@ -2,7 +2,7 @@
{% if access_list.clientcas.size > 0 %} {% if access_list.clientcas.size > 0 %}
# TLS Client Certificate Authorization # TLS Client Certificate Authorization
if ($ssl_client_verify != "SUCCESS") { if ($ssl_client_verify != "SUCCESS") {
return 403; return {% if drop_unauthorized == 1 %}444{% else %}403{% endif %};
} }
{% endif %} {% endif %}
{% if access_list.items.length > 0 %} {% if access_list.items.length > 0 %}

12
frontend/js/app/nginx/proxy/form.ejs
View File

@@ -72,7 +72,7 @@
</label> </label>
</div> </div>
</div> </div>
<div class="col-sm-12 col-md-12"> <div class="col-sm-6 col-md-6">
<div class="form-group"> <div class="form-group">
<label class="custom-switch"> <label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="allow_websocket_upgrade" value="1"<%- allow_websocket_upgrade ? ' checked' : '' %>> <input type="checkbox" class="custom-switch-input" name="allow_websocket_upgrade" value="1"<%- allow_websocket_upgrade ? ' checked' : '' %>>
@@ -81,7 +81,15 @@
</label> </label>
</div> </div>
</div> </div>
<div class="col-sm-6 col-md-6">
<div class="form-group">
<label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="drop_unauthorized" value="1"<%- drop_unauthorized ? ' checked' : '' %>>
<span class="custom-switch-indicator"></span>
<span class="custom-switch-description"><%- i18n('all-hosts', 'drop-unauthorized') %></span>
</label>
</div>
</div>
<div class="col-sm-12 col-md-12"> <div class="col-sm-12 col-md-12">
<div class="form-group"> <div class="form-group">
<label class="form-label"><%- i18n('proxy-hosts', 'access-list') %></label> <label class="form-label"><%- i18n('proxy-hosts', 'access-list') %></label>

1
frontend/js/app/nginx/proxy/form.js
View File

@@ -161,6 +161,7 @@ module.exports = Mn.View.extend({
// Manipulate // Manipulate
data.forward_port = parseInt(data.forward_port, 10); data.forward_port = parseInt(data.forward_port, 10);
data.block_exploits = !!data.block_exploits; data.block_exploits = !!data.block_exploits;
data.drop_unauthorized = !!data.drop_unauthorized;
data.caching_enabled = !!data.caching_enabled; data.caching_enabled = !!data.caching_enabled;
data.allow_websocket_upgrade = !!data.allow_websocket_upgrade; data.allow_websocket_upgrade = !!data.allow_websocket_upgrade;
data.http2_support = !!data.http2_support; data.http2_support = !!data.http2_support;

1
frontend/js/i18n/messages.json
View File

@@ -75,6 +75,7 @@
"domain-names": "Domain Names", "domain-names": "Domain Names",
"cert-provider": "Certificate Provider", "cert-provider": "Certificate Provider",
"block-exploits": "Block Common Exploits", "block-exploits": "Block Common Exploits",
"drop-unauthorized": "Drop Unauthorized (444)",
"caching-enabled": "Cache Assets", "caching-enabled": "Cache Assets",
"ssl-certificate": "SSL Certificate", "ssl-certificate": "SSL Certificate",
"none": "None", "none": "None",

1
frontend/js/models/proxy-host.js
View File

@@ -20,6 +20,7 @@ const model = Backbone.Model.extend({
caching_enabled: false, caching_enabled: false,
allow_websocket_upgrade: false, allow_websocket_upgrade: false,
block_exploits: false, block_exploits: false,
drop_unauthorized: false,
http2_support: false, http2_support: false,
advanced_config: '', advanced_config: '',
enabled: true, enabled: true,

1
test/cypress/integration/api/Hosts.spec.js
View File

@@ -27,6 +27,7 @@ describe('Hosts endpoints', () => {
advanced_config: '', advanced_config: '',
locations: [], locations: [],
block_exploits: false, block_exploits: false,
drop_unauthorized: false,
caching_enabled: false, caching_enabled: false,
allow_websocket_upgrade: false, allow_websocket_upgrade: false,
http2_support: false, http2_support: false,