Allow whitelisting and blacklisting of http/http2

b31d0e9c · Adam Stankiewicz · ff263567 · b31d0e9c
Commit b31d0e9c authored Apr 10, 2017 by Adam Stankiewicz
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 3 deletions

http.go http.go +14 -3

No files found.
--- a/http.go
+++ b/http.go
@@ -5,14 +5,15 @@ import (
 	"crypto/tls"
 	"encoding/base64"
 	"errors"
-	"github.com/ginuerzh/pht"
-	"github.com/golang/glog"
-	"golang.org/x/net/http2"
 	"io"
 	"net"
 	"net/http"
 	"net/http/httputil"
 	"time"
+	"github.com/ginuerzh/pht"
+	"github.com/golang/glog"
+	"golang.org/x/net/http2"
 )
 type HttpServer struct {
@@ -75,6 +76,11 @@ func (s *HttpServer) HandleRequest(req *http.Request) {
 		return
 	}
+	if !s.Base.Node.Can("tcp", req.Host) {
+		glog.Errorf("Unauthorized to tcp connect to %s", req.Host)
+		return
+	}
 	c, err := s.Base.Chain.Dial(req.Host)
 	if err != nil {
 		glog.V(LWARNING).Infof("[http] %s -> %s : %s", s.conn.RemoteAddr(), req.Host, err)
@@ -184,6 +190,11 @@ func (s *Http2Server) HandleRequest(w http.ResponseWriter, req *http.Request) {
 	w.Header().Set("Proxy-Agent", "gost/"+Version)
+	if !s.Base.Node.Can("tcp", target) {
+		glog.Errorf("Unauthorized to tcp connect to %s", target)
+		return
+	}
 	// HTTP2 as transport
 	if req.Header.Get("Proxy-Switch") == "gost" {
 		conn, err := s.Upgrade(w, req)