From 9053f092bdd27ceb123046740406105fd639c13a Mon Sep 17 00:00:00 2001 From: Alex Bowers Date: Wed, 7 Apr 2021 17:59:00 +0100 Subject: [PATCH 1/2] Update middleware.go Before these changes, compiling myself I would get: ``` go: downloading github.com/throttled/throttled v1.0.0 go: downloading github.com/throttled/throttled/v2 v2.7.1 go: downloading github.com/throttled/throttled v2.2.5+incompatible go get: gopkg.in/throttled/throttled.v2@v2.0.3 updating to gopkg.in/throttled/throttled.v2@v2.7.1: parsing go.mod: module declares its path as: github.com/throttled/throttled/v2 but was required as: gopkg.in/throttled/throttled.v2 ``` --- middleware.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/middleware.go b/middleware.go index 11a15dbd..9b663a96 100644 --- a/middleware.go +++ b/middleware.go @@ -11,8 +11,8 @@ import ( "github.com/h2non/bimg" "github.com/rs/cors" - "gopkg.in/throttled/throttled.v2" - "gopkg.in/throttled/throttled.v2/store/memstore" + "github.com/throttled/throttled/v2" + "github.com/throttled/throttled/v2/store/memstore" ) func Middleware(fn func(http.ResponseWriter, *http.Request), o ServerOptions) http.Handler { From c21a15f848aa85f39d853813721265a2702d100f Mon Sep 17 00:00:00 2001 From: Alex Bowers Date: Thu, 8 Apr 2021 14:36:38 +0100 Subject: [PATCH 2/2] Support -insecure for URL source --- go.mod | 8 ++++---- go.sum | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++ imaginary.go | 5 +++++ server.go | 5 +++-- source.go | 30 ++++++++++++++------------- source_http.go | 5 +++++ 6 files changed, 88 insertions(+), 20 deletions(-) diff --git a/go.mod b/go.mod index bef0cbe8..ca0808e1 100644 --- a/go.mod +++ b/go.mod @@ -4,9 +4,9 @@ go 1.12 require ( github.com/garyburd/redigo v1.6.0 // indirect - github.com/hashicorp/golang-lru v0.0.0-20160813221303-0a025b7e63ad // indirect - github.com/rs/cors v0.0.0-20170727213201-7af7a1e09ba3 - github.com/h2non/bimg v1.1.4 - github.com/h2non/filetype v1.1.0 + github.com/h2non/bimg v1.1.5 + github.com/h2non/filetype v1.1.1 + github.com/rs/cors v1.7.0 + github.com/throttled/throttled/v2 v2.7.1 gopkg.in/throttled/throttled.v2 v2.0.3 ) diff --git a/go.sum b/go.sum index 8878a4e2..29b179a8 100644 --- a/go.sum +++ b/go.sum @@ -1,13 +1,68 @@ +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/garyburd/redigo v1.6.0/go.mod h1:NR3MbYisc3/PwhQ00EMzDiPmrwpPxAn5GI05/YaO1SY= +github.com/go-redis/redis v6.15.8+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/gomodule/redigo v2.0.0+incompatible/go.mod h1:B4C85qUVwatsJoIUNIfCRsp7qO0iAmpGFZ4EELWSbC4= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/h2non/bimg v1.1.2 h1:J75W2eM5FT0KjcwsL2aiy1Ilu0Xy0ENb0sU+HHUJAvw= github.com/h2non/bimg v1.1.2/go.mod h1:R3+UiYwkK4rQl6KVFTOFJHitgLbZXBZNFh2cv3AEbp8= github.com/h2non/bimg v1.1.4 h1:6qf7qDo3d9axbNUOcSoQmzleBCMTcQ1PwF3FgGhX4O0= github.com/h2non/bimg v1.1.4/go.mod h1:R3+UiYwkK4rQl6KVFTOFJHitgLbZXBZNFh2cv3AEbp8= +github.com/h2non/bimg v1.1.5 h1:o3xsUBxM8s7+e7PmpiWIkEYdeYayJ94eh4cJLx67m1k= +github.com/h2non/bimg v1.1.5/go.mod h1:R3+UiYwkK4rQl6KVFTOFJHitgLbZXBZNFh2cv3AEbp8= github.com/h2non/filetype v1.1.0 h1:Or/gjocJrJRNK/Cri/TDEKFjAR+cfG6eK65NGYB6gBA= github.com/h2non/filetype v1.1.0/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY= +github.com/h2non/filetype v1.1.1 h1:xvOwnXKAckvtLWsN398qS9QhlxlnVXBjXBydK2/UFB4= +github.com/h2non/filetype v1.1.1/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY= github.com/hashicorp/golang-lru v0.0.0-20160813221303-0a025b7e63ad h1:eMxs9EL0PvIGS9TTtxg4R+JxuPGav82J8rA+GFnY7po= github.com/hashicorp/golang-lru v0.0.0-20160813221303-0a025b7e63ad/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= +github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/rs/cors v0.0.0-20170727213201-7af7a1e09ba3 h1:86ukAHRTa2CXdBnWJHcjjPPGTyLGEF488OFRsbBAuFs= github.com/rs/cors v0.0.0-20170727213201-7af7a1e09ba3/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= +github.com/rs/cors v1.7.0 h1:+88SsELBHx5r+hZ8TCkggzSstaWNbDvThkVK8H6f9ik= +github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= +github.com/throttled/throttled v2.2.5+incompatible h1:65UB52X0qNTYiT0Sohp8qLYVFwZQPDw85uSa65OljjQ= +github.com/throttled/throttled/v2 v2.7.1 h1:FnBysDX4Sok55bvfDMI0l2Y71V1vM2wi7O79OW7fNtw= +github.com/throttled/throttled/v2 v2.7.1/go.mod h1:fuOeyK9fmnA+LQnsBbfT/mmPHjmkdogRBQxaD8YsgZ8= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/throttled/throttled.v2 v2.0.3 h1:PGm7nfjjexecEyI2knw1akeLcrjzqxuYSU9a04R8rfU= gopkg.in/throttled/throttled.v2 v2.0.3/go.mod h1:L4cTNZO77XKEXtn8HNFRCMNGZPtRRKAhyuJBSvK/T90= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/imaginary.go b/imaginary.go index 75ecec56..1c420234 100644 --- a/imaginary.go +++ b/imaginary.go @@ -28,6 +28,7 @@ var ( aGzip = flag.Bool("gzip", false, "Enable gzip compression (deprecated)") aAuthForwarding = flag.Bool("enable-auth-forwarding", false, "Forwards X-Forward-Authorization or Authorization header to the image source server. -enable-url-source flag must be defined. Tip: secure your server from public access to prevent attack vectors") aEnableURLSource = flag.Bool("enable-url-source", false, "Enable remote HTTP URL image source processing") + aAllowInsecureSSL = flag.Bool("insecure", false, "Allow connections to endpoints with insecure SSL certificates. -enable-url-source flag must be defined. Note: Should only be used in development.") aEnablePlaceholder = flag.Bool("enable-placeholder", false, "Enable image response placeholder to be used in case of error") aEnableURLSignature = flag.Bool("enable-url-signature", false, "Enable URL signature (URL-safe Base64-encoded HMAC digest)") aURLSignatureKey = flag.String("url-signature-key", "", "The URL signature key (32 characters minimum)") @@ -87,6 +88,9 @@ Options: -http-read-timeout HTTP read timeout in seconds [default: 30] -http-write-timeout HTTP write timeout in seconds [default: 30] -enable-url-source Enable remote HTTP URL image source processing + -insecure Allow connections to endpoints with insecure SSL certificates. + -enable-url-source flag must be defined. + Note: Should only be used in development. -enable-placeholder Enable image response placeholder to be used in case of error [default: false] -enable-auth-forwarding Forwards X-Forward-Authorization or Authorization header to the image source server. -enable-url-source flag must be defined. Tip: secure your server from public access to prevent attack vectors -forward-headers Forwards custom headers to the image source server. -enable-url-source flag must be defined. @@ -137,6 +141,7 @@ func main() { CORS: *aCors, AuthForwarding: *aAuthForwarding, EnableURLSource: *aEnableURLSource, + AllowInsecureSSL: *aAllowInsecureSSL, EnablePlaceholder: *aEnablePlaceholder, EnableURLSignature: *aEnableURLSignature, URLSignatureKey: urlSignature.Key, diff --git a/server.go b/server.go index e99c1f53..2989e4e0 100644 --- a/server.go +++ b/server.go @@ -2,15 +2,15 @@ package main import ( "context" + "log" "net/http" "net/url" - "log" "os" "os/signal" - "syscall" "path" "strconv" "strings" + "syscall" "time" ) @@ -26,6 +26,7 @@ type ServerOptions struct { Gzip bool // deprecated AuthForwarding bool EnableURLSource bool + AllowInsecureSSL bool EnablePlaceholder bool EnableURLSignature bool URLSignatureKey string diff --git a/source.go b/source.go index 572e6aaf..ffd0874a 100644 --- a/source.go +++ b/source.go @@ -9,13 +9,14 @@ type ImageSourceType string type ImageSourceFactoryFunction func(*SourceConfig) ImageSource type SourceConfig struct { - AuthForwarding bool - Authorization string - MountPath string - Type ImageSourceType - ForwardHeaders []string - AllowedOrigins []*url.URL - MaxAllowedSize int + AuthForwarding bool + Authorization string + MountPath string + Type ImageSourceType + ForwardHeaders []string + AllowedOrigins []*url.URL + MaxAllowedSize int + AllowInsecureSSL bool } var imageSourceMap = make(map[ImageSourceType]ImageSource) @@ -33,13 +34,14 @@ func RegisterSource(sourceType ImageSourceType, factory ImageSourceFactoryFuncti func LoadSources(o ServerOptions) { for name, factory := range imageSourceFactoryMap { imageSourceMap[name] = factory(&SourceConfig{ - Type: name, - MountPath: o.Mount, - AuthForwarding: o.AuthForwarding, - Authorization: o.Authorization, - AllowedOrigins: o.AllowedOrigins, - MaxAllowedSize: o.MaxAllowedSize, - ForwardHeaders: o.ForwardHeaders, + Type: name, + MountPath: o.Mount, + AuthForwarding: o.AuthForwarding, + Authorization: o.Authorization, + AllowedOrigins: o.AllowedOrigins, + MaxAllowedSize: o.MaxAllowedSize, + ForwardHeaders: o.ForwardHeaders, + AllowInsecureSSL: o.AllowInsecureSSL, }) } } diff --git a/source_http.go b/source_http.go index 5bfeeaa3..bb1778f3 100644 --- a/source_http.go +++ b/source_http.go @@ -1,6 +1,7 @@ package main import ( + "crypto/tls" "fmt" "io/ioutil" "net/http" @@ -113,6 +114,10 @@ func newHTTPRequest(s *HTTPImageSource, ireq *http.Request, method string, url * s.setAuthorizationHeader(req, ireq) } + if s.Config.AllowInsecureSSL { + http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} //nolint:gosec + } + return req }