mirror of
https://github.com/SquidDev-CC/CC-Tweaked
synced 2024-06-26 07:03:22 +00:00
Tighten up the $private HTTP rule
- Block multicast and the fd00::/8 address ranges. - Block several cloud metadata providers which sit outside the standard address ranges.
This commit is contained in:
parent
cc8c1f38e7
commit
4bbde8c50c
|
@ -6,9 +6,13 @@
|
||||||
|
|
||||||
import com.google.common.net.InetAddresses;
|
import com.google.common.net.InetAddresses;
|
||||||
|
|
||||||
|
import java.net.Inet6Address;
|
||||||
import java.net.InetAddress;
|
import java.net.InetAddress;
|
||||||
import java.net.InetSocketAddress;
|
import java.net.InetSocketAddress;
|
||||||
|
import java.util.Arrays;
|
||||||
|
import java.util.Set;
|
||||||
import java.util.regex.Pattern;
|
import java.util.regex.Pattern;
|
||||||
|
import java.util.stream.Collectors;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A predicate on an address. Matches against a domain and an ip address.
|
* A predicate on an address. Matches against a domain and an ip address.
|
||||||
|
@ -107,12 +111,35 @@ public boolean matches(InetAddress socketAddress) {
|
||||||
final class PrivatePattern implements AddressPredicate {
|
final class PrivatePattern implements AddressPredicate {
|
||||||
static final PrivatePattern INSTANCE = new PrivatePattern();
|
static final PrivatePattern INSTANCE = new PrivatePattern();
|
||||||
|
|
||||||
|
private static final Set<InetAddress> additionalAddresses = Arrays.stream(new String[]{
|
||||||
|
// Block various cloud providers internal IPs.
|
||||||
|
"100.100.100.200", // Alibaba
|
||||||
|
"192.0.0.192", // Oracle
|
||||||
|
}).map(InetAddresses::forString).collect(Collectors.toUnmodifiableSet());
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public boolean matches(InetAddress socketAddress) {
|
public boolean matches(InetAddress socketAddress) {
|
||||||
return socketAddress.isAnyLocalAddress()
|
return
|
||||||
|| socketAddress.isLoopbackAddress()
|
socketAddress.isAnyLocalAddress() // 0.0.0.0, ::0
|
||||||
|| socketAddress.isLinkLocalAddress()
|
|| socketAddress.isLoopbackAddress() // 127.0.0.0/8, ::1
|
||||||
|| socketAddress.isSiteLocalAddress();
|
|| socketAddress.isLinkLocalAddress() // 169.254.0.0/16, fe80::/10
|
||||||
|
|| socketAddress.isSiteLocalAddress() // 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fec0::/10
|
||||||
|
|| socketAddress.isMulticastAddress() // 224.0.0.0/4, ff00::/8
|
||||||
|
|| isUniqueLocalAddress(socketAddress) // fd00::/8
|
||||||
|
|| additionalAddresses.contains(socketAddress);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Determine if an IP address lives inside the ULA address range.
|
||||||
|
*
|
||||||
|
* @param address The IP address to test.
|
||||||
|
* @return Whether this address sits in the ULA address range.
|
||||||
|
* @see <a href="https://en.wikipedia.org/wiki/Unique_local_address">Unique local address on Wikipedia</a>
|
||||||
|
*/
|
||||||
|
private boolean isUniqueLocalAddress(InetAddress address) {
|
||||||
|
// ULA is actually defined as fc00::/7 (so both fc00::/8 and fd00::/8). However, only the latter is actually
|
||||||
|
// defined right now, so let's be conservative.
|
||||||
|
return address instanceof Inet6Address && (address.getAddress()[0] & 0xff) == 0xfd;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -31,7 +31,14 @@ public void matchesPort() {
|
||||||
@ValueSource(strings = {
|
@ValueSource(strings = {
|
||||||
"0.0.0.0", "[::]",
|
"0.0.0.0", "[::]",
|
||||||
"localhost", "127.0.0.1.nip.io", "127.0.0.1", "[::1]",
|
"localhost", "127.0.0.1.nip.io", "127.0.0.1", "[::1]",
|
||||||
"172.17.0.1", "192.168.1.114", "[0:0:0:0:0:ffff:c0a8:172]", "10.0.0.1"
|
"172.17.0.1", "192.168.1.114", "[0:0:0:0:0:ffff:c0a8:172]", "10.0.0.1",
|
||||||
|
// Multicast
|
||||||
|
"224.0.0.1", "ff02::1",
|
||||||
|
// Cloud metadata providers
|
||||||
|
"100.100.100.200", // Alibaba
|
||||||
|
"192.0.0.192", // Oracle
|
||||||
|
"fd00:ec2::254", // AWS
|
||||||
|
"169.254.169.254", // AWS, Digital Ocean, GCP, etc..
|
||||||
})
|
})
|
||||||
public void blocksLocalDomains(String domain) {
|
public void blocksLocalDomains(String domain) {
|
||||||
assertEquals(apply(CoreConfig.httpRules, domain, 80).action, Action.DENY);
|
assertEquals(apply(CoreConfig.httpRules, domain, 80).action, Action.DENY);
|
||||||
|
|
Loading…
Reference in New Issue
Block a user