Browse Source

Explicit CloudFlare support; ban by country

pull/126/head
Lal'C Mellk Mal 3 years ago
parent
commit
78b22cf821
6 changed files with 28 additions and 8 deletions
  1. +2
    -1
      README.md
  2. +4
    -1
      config.js.example
  3. +5
    -0
      server/caps.js
  4. +4
    -3
      server/okyaku.js
  5. +7
    -2
      server/server.js
  6. +6
    -1
      server/web.js

+ 2
- 1
README.md View File

@@ -19,7 +19,8 @@ Production:
* Have your webserver serve www/ (or wherever you've moved src, thumb, etc.)
- Configure `imager.config.MEDIA_URL` appropriately
- Then turn off `SERVE_STATIC_FILES` and `SERVE_IMAGES`
* If you're behind a reverse proxy (CF, etc) turn on `TRUST_X_FORWARDED_FOR`
* If you're behind Cloudflare turn on `CLOUDFLARE`
- Or if you're behind any reverse proxy (nginx etc) turn on `TRUST_X_FORWARDED_FOR`
* Run `node server/server.js` for just the server
* You can update client code & hot.js on-the-fly with `node server/kill.js`
* For nginx hosting/reverse proxying, refer to docs/nginx.conf.example


+ 4
- 1
config.js.example View File

@@ -4,7 +4,6 @@ var config = {
DEBUG: true,
SECURE_SALT: "LALALALALALALALA", /* [A-Za-z0-9./]{16} */
SOCKET_PATH: '/hana',
TRUST_X_FORWARDED_FOR: false,
SERVE_STATIC_FILES: true,
SERVE_IMAGES: true,
GZIP: false, /* not preferred; use nginx (or other)'s gzipping */
@@ -13,6 +12,10 @@ var config = {
REDIS_PORT: 6379,
READ_ONLY: false,

TRUST_X_FORWARDED_FOR: false,
CLOUDFLARE: false,
RESTRICTED_COUNTRIES: ['T1'], /* cloudflare only; T1 = Tor */

BOARDS: ['moe', 'gar', 'tea', 'meta', 'archive', 'staff'],
DEFAULT_BOARD: 'moe',
GAME_BOARDS: ['moe', 'archive'],


+ 5
- 0
server/caps.js View File

@@ -183,6 +183,11 @@ function parse_suspensions(suspensions) {

exports.lookup_ident = function (ip, country) {
var ident = {ip: ip, readOnly: config.READ_ONLY};
if (country
&& config.RESTRICTED_COUNTRIES
&& config.RESTRICTED_COUNTRIES.indexOf(country) >= 0) {
ident.readOnly = true;
}
var num = parse_ip(ip).num;
var ban = range_lookup(RANGES.bans, num);
if (ban) {


+ 4
- 3
server/okyaku.js View File

@@ -8,13 +8,14 @@ var caps = require('./caps'),

var dispatcher = exports.dispatcher = {};

function Okyaku(socket, ip) {
function Okyaku(socket, ip, country) {
events.EventEmitter.call(this);

this.socket = socket;
this.ident = caps.lookup_ident(ip);
this.ident = caps.lookup_ident(ip, country);
this.watching = {};
this.ip = ip;
this.country = country;

var clients = STATE.clientsByIP[ip];
if (clients)
@@ -157,10 +158,10 @@ OK.finish_post = function (callback) {

exports.scan_client_caps = function () {
for (var ip in STATE.clientsByIP) {
var ident = caps.lookup_ident(ip);
STATE.clientsByIP[ip].forEach(function (okyaku) {
if (!okyaku.id || !okyaku.board)
return;
var ident = caps.lookup_ident(ip, okyaku.country);
if (ident.timeout) {
okyaku.blackhole = true;
return;


+ 7
- 2
server/server.js View File

@@ -1104,14 +1104,19 @@ function start_server() {

sockJs.on('connection', function (socket) {
var ip = socket.remoteAddress;
var country;
if (config.TRUST_X_FORWARDED_FOR) {
var ff = web.parse_forwarded_for(
socket.headers['x-forwarded-for']);
if (ff)
ip = ff;
}

var client = new okyaku.Okyaku(socket, ip);
if (!ip) {
winston.warn('no ip from ' + socket);
socket.close();
return;
}
var client = new okyaku.Okyaku(socket, ip, country);
socket.on('data', client.on_message.bind(client));
socket.on('close', client.on_close.bind(client));
});


+ 6
- 1
server/web.js View File

@@ -19,15 +19,20 @@ var resources = [];

var server = require('http').createServer(function (req, resp) {
var ip = req.connection.remoteAddress;
var country;
if (config.TRUST_X_FORWARDED_FOR)
ip = parse_forwarded_for(req.headers['x-forwarded-for']) || ip;
if (config.CLOUDFLARE) {
ip = req.headers['cf-connecting-ip'] || ip;
country = req.headers['cf-ipcountry'];
}
if (!ip) {
resp.writeHead(500, {'Content-Type': 'text/plain'});
resp.end("Your IP could not be determined. "
+ "This server is misconfigured.");
return;
}
req.ident = caps.lookup_ident(ip);
req.ident = caps.lookup_ident(ip, country);
if (req.ident.timeout)
return timeout(resp);
if (req.ident.ban)


Loading…
Cancel
Save