Merge pull request #974 from pagespeed/jefftk-handler-restrictions
Add support for blocking access to our handlers.
This commit is contained in:
Jeff Kaufman
+12
-6
@@ -1650,23 +1650,29 @@ RequestRouting::Response ps_route_request(ngx_http_request_t* r) {
|
||||
const NgxRewriteOptions* global_options = cfg_s->server_context->config();
|
||||
|
||||
StringPiece path = url.PathSansQuery();
|
||||
if (StringCaseEqual(path, global_options->statistics_path())) {
|
||||
if (StringCaseEqual(path, global_options->statistics_path()) &&
|
||||
global_options->StatisticsAccessAllowed(url)) {
|
||||
return RequestRouting::kStatistics;
|
||||
} else if (StringCaseEqual(path, global_options->global_statistics_path())) {
|
||||
} else if (StringCaseEqual(path, global_options->global_statistics_path()) &&
|
||||
global_options->GlobalStatisticsAccessAllowed(url)) {
|
||||
return RequestRouting::kGlobalStatistics;
|
||||
} else if (StringCaseEqual(path, global_options->console_path())) {
|
||||
} else if (StringCaseEqual(path, global_options->console_path()) &&
|
||||
global_options->ConsoleAccessAllowed(url)) {
|
||||
return RequestRouting::kConsole;
|
||||
} else if (StringCaseEqual(path, global_options->messages_path())) {
|
||||
} else if (StringCaseEqual(path, global_options->messages_path()) &&
|
||||
global_options->MessagesAccessAllowed(url)) {
|
||||
return RequestRouting::kMessages;
|
||||
} else if (
|
||||
// The admin handlers get everything under a path (/path/*) while all the
|
||||
// other handlers only get exact matches (/path). So match all paths
|
||||
// starting with the handler path.
|
||||
!global_options->admin_path().empty() &&
|
||||
StringCaseStartsWith(path, global_options->admin_path())) {
|
||||
StringCaseStartsWith(path, global_options->admin_path()) &&
|
||||
global_options->AdminAccessAllowed(url)) {
|
||||
return RequestRouting::kAdmin;
|
||||
} else if (!global_options->global_admin_path().empty() &&
|
||||
StringCaseStartsWith(path, global_options->global_admin_path())) {
|
||||
StringCaseStartsWith(path, global_options->global_admin_path()) &&
|
||||
global_options->GlobalAdminAccessAllowed(url)) {
|
||||
return RequestRouting::kGlobalAdmin;
|
||||
} else if (global_options->enable_cache_purge() &&
|
||||
!global_options->purge_method().empty() &&
|
||||
|
||||
@@ -300,6 +300,9 @@ fi
|
||||
|
||||
PSA_JS_LIBRARY_URL_PREFIX="pagespeed_custom_static"
|
||||
BEACON_HANDLER="ngx_pagespeed_beacon"
|
||||
STATISTICS_HANDLER="ngx_pagespeed_statistics"
|
||||
GLOBAL_STATISTICS_HANDLER="ngx_pagespeed_global_statistics"
|
||||
MESSAGES_HANDLER="ngx_pagespeed_message"
|
||||
STATISTICS_URL=http://$PRIMARY_HOSTNAME/ngx_pagespeed_statistics
|
||||
|
||||
# An expected failure can be indicated like: "~In-place resource optimization~"
|
||||
|
||||
@@ -24,6 +24,9 @@ http {
|
||||
'"$http_user_agent"';
|
||||
access_log "@@ACCESS_LOG@@" cache;
|
||||
|
||||
# Don't put entries in the error log for 403s and 404s.
|
||||
log_not_found off;
|
||||
|
||||
proxy_cache_path "@@PROXY_CACHE@@" levels=1:2 keys_zone=htmlcache:60m inactive=90m max_size=50m;
|
||||
proxy_temp_path "@@TMP_PROXY_CACHE@@";
|
||||
|
||||
@@ -816,6 +819,13 @@ http {
|
||||
pagespeed ConsolePath /custom_pagespeed_console;
|
||||
pagespeed MessagesPath /custom_pagespeed_message;
|
||||
pagespeed AdminPath /custom_pagespeed_admin;
|
||||
|
||||
pagespeed StatisticsDomains Allow *;
|
||||
pagespeed GlobalStatisticsDomains Allow *;
|
||||
pagespeed MessagesDomains Allow *;
|
||||
pagespeed ConsoleDomains Allow *;
|
||||
pagespeed AdminDomains Allow *;
|
||||
pagespeed GlobalAdminDomains Allow *;
|
||||
}
|
||||
|
||||
server {
|
||||
@@ -823,6 +833,13 @@ http {
|
||||
listen [::]:@@SECONDARY_PORT@@;
|
||||
server_name inherit-paths.example.com;
|
||||
pagespeed FileCachePath "@@FILE_CACHE@@";
|
||||
|
||||
pagespeed StatisticsDomains Allow *;
|
||||
pagespeed GlobalStatisticsDomains Allow *;
|
||||
pagespeed MessagesDomains Allow *;
|
||||
pagespeed ConsoleDomains Allow *;
|
||||
pagespeed AdminDomains Allow *;
|
||||
pagespeed GlobalAdminDomains Allow *;
|
||||
}
|
||||
|
||||
server {
|
||||
@@ -1336,6 +1353,79 @@ http {
|
||||
}
|
||||
}
|
||||
|
||||
pagespeed MessagesDomains Allow messages-allowed.example.com;
|
||||
pagespeed MessagesDomains Allow cleared-inherited.example.com;
|
||||
pagespeed MessagesDomains Allow cleared-inherited-reallowed.example.com;
|
||||
pagespeed MessagesDomains Allow more-messages-allowed.example.com;
|
||||
pagespeed MessagesDomains Allow anything-*-wildcard.example.com;
|
||||
pagespeed MessagesDomains Allow localhost;
|
||||
|
||||
server {
|
||||
listen @@SECONDARY_PORT@@;
|
||||
listen [::]:@@SECONDARY_PORT@@;
|
||||
server_name messages-allowed.example.com
|
||||
messages-not-allowed.example.com
|
||||
more-messages-allowed.example.com
|
||||
anything-a-wildcard.example.com
|
||||
anything-b-wildcard.example.com;
|
||||
pagespeed FileCachePath "@@FILE_CACHE@@";
|
||||
}
|
||||
server {
|
||||
listen @@SECONDARY_PORT@@;
|
||||
listen [::]:@@SECONDARY_PORT@@;
|
||||
server_name messages-still-not-allowed.example.com
|
||||
but-this-message-allowed.example.com
|
||||
and-this-one.example.com;
|
||||
pagespeed MessagesDomains Allow but-this-message-allowed.example.com;
|
||||
pagespeed MessagesDomains Allow and-this-one.example.com;
|
||||
pagespeed FileCachePath "@@FILE_CACHE@@";
|
||||
}
|
||||
server {
|
||||
listen @@SECONDARY_PORT@@;
|
||||
listen [::]:@@SECONDARY_PORT@@;
|
||||
server_name cleared-inherited.example.com
|
||||
cleared-inherited-reallowed.example.com
|
||||
messages-allowed-at-vhost.example.com
|
||||
messages-not-allowed-at-vhost.example.com
|
||||
anything-c-wildcard.example.com;
|
||||
pagespeed MessagesDomains Disallow *;
|
||||
pagespeed MessagesDomains Allow cleared-inherited-reallowed.example.com;
|
||||
pagespeed MessagesDomains Allow messages-allowed-at-vhost.example.com;
|
||||
pagespeed FileCachePath "@@FILE_CACHE@@";
|
||||
}
|
||||
server {
|
||||
listen @@SECONDARY_PORT@@;
|
||||
listen [::]:@@SECONDARY_PORT@@;
|
||||
server_name cleared-inherited-unlisted.example.com;
|
||||
pagespeed MessagesDomains Allow *;
|
||||
pagespeed FileCachePath "@@FILE_CACHE@@";
|
||||
}
|
||||
server {
|
||||
server_name nothing-allowed.example.com;
|
||||
pagespeed MessagesDomains Disallow *;
|
||||
pagespeed FileCachePath "@@FILE_CACHE@@";
|
||||
}
|
||||
server {
|
||||
server_name nothing-explicitly-allowed.example.com;
|
||||
pagespeed FileCachePath "@@FILE_CACHE@@";
|
||||
}
|
||||
server {
|
||||
listen @@SECONDARY_PORT@@;
|
||||
listen [::]:@@SECONDARY_PORT@@;
|
||||
server_name everything-explicitly-allowed.example.com
|
||||
everything-explicitly-allowed-but-aliased.example.com;
|
||||
pagespeed FileCachePath "@@FILE_CACHE@@";
|
||||
|
||||
pagespeed StatisticsDomains Allow everything-explicitly-allowed.example.com;
|
||||
pagespeed GlobalStatisticsDomains
|
||||
Allow everything-explicitly-allowed.example.com;
|
||||
pagespeed MessagesDomains Allow everything-explicitly-allowed.example.com;
|
||||
pagespeed ConsoleDomains Allow everything-explicitly-allowed.example.com;
|
||||
pagespeed AdminDomains Allow everything-explicitly-allowed.example.com;
|
||||
pagespeed GlobalAdminDomains
|
||||
Allow everything-explicitly-allowed.example.com;
|
||||
}
|
||||
|
||||
server {
|
||||
listen @@PRIMARY_PORT@@;
|
||||
listen [::]:@@PRIMARY_PORT@@;
|
||||
|
||||
Reference in New Issue
Block a user