pages-server/server/handler/handler.go

package handler

import (
	"net/http"
	"strings"

	"github.com/rs/zerolog/log"

	"codeberg.org/codeberg/pages/html"
	"codeberg.org/codeberg/pages/server/cache"
	"codeberg.org/codeberg/pages/server/context"
	"codeberg.org/codeberg/pages/server/gitea"
	"codeberg.org/codeberg/pages/server/version"
)

const (
	headerAccessControlAllowOrigin  = "Access-Control-Allow-Origin"
	headerAccessControlAllowMethods = "Access-Control-Allow-Methods"
)

// Handler handles a single HTTP request to the web server.
func Handler(mainDomainSuffix, rawDomain string,
	giteaClient *gitea.Client,
	rawInfoPage string,
	blacklistedPaths, allowedCorsDomains []string,
	dnsLookupCache, canonicalDomainCache cache.SetGetKey,
) http.HandlerFunc {
	return func(w http.ResponseWriter, req *http.Request) {
		log := log.With().Strs("Handler", []string{string(req.Host), req.RequestURI}).Logger()
		ctx := context.New(w, req)

		ctx.RespWriter.Header().Set("Server", "CodebergPages/"+version.Version)

		// Force new default from specification (since November 2020) - see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#strict-origin-when-cross-origin
		ctx.RespWriter.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")

		// Enable browser caching for up to 10 minutes
		ctx.RespWriter.Header().Set("Cache-Control", "public, max-age=600")

		trimmedHost := ctx.TrimHostPort()

		// Add HSTS for RawDomain and MainDomainSuffix
		if hsts := getHSTSHeader(trimmedHost, mainDomainSuffix, rawDomain); hsts != "" {
			ctx.RespWriter.Header().Set("Strict-Transport-Security", hsts)
		}

		// Handle all http methods
		ctx.RespWriter.Header().Set("Allow", http.MethodGet+", "+http.MethodHead+", "+http.MethodOptions)
		switch ctx.Req.Method {
		case http.MethodOptions:
			// return Allow header
			ctx.RespWriter.WriteHeader(http.StatusNoContent)
			return
		case http.MethodGet,
			http.MethodHead:
			// end switch case and handle allowed requests
			break
		default:
			// Block all methods not required for static pages
			ctx.String("Method not allowed", http.StatusMethodNotAllowed)
			return
		}

		// Block blacklisted paths (like ACME challenges)
		for _, blacklistedPath := range blacklistedPaths {
			if strings.HasPrefix(ctx.Path(), blacklistedPath) {
				html.ReturnErrorPage(ctx, "requested blacklisted path", http.StatusForbidden)
				return
			}
		}

		// Allow CORS for specified domains
		allowCors := false
		for _, allowedCorsDomain := range allowedCorsDomains {
			if strings.EqualFold(trimmedHost, allowedCorsDomain) {
				allowCors = true
				break
			}
		}
		if allowCors {
			ctx.RespWriter.Header().Set(headerAccessControlAllowOrigin, "*")
			ctx.RespWriter.Header().Set(headerAccessControlAllowMethods, http.MethodGet+", "+http.MethodHead)
		}

		// Prepare request information to Gitea
		pathElements := strings.Split(strings.Trim(ctx.Path(), "/"), "/")

		if rawDomain != "" && strings.EqualFold(trimmedHost, rawDomain) {
			log.Debug().Msg("raw domain request detecded")
			handleRaw(log, ctx, giteaClient,
				mainDomainSuffix, rawInfoPage,
				trimmedHost,
				pathElements,
				canonicalDomainCache)
		} else if strings.HasSuffix(trimmedHost, mainDomainSuffix) {
			log.Debug().Msg("subdomain request detecded")
			handleSubDomain(log, ctx, giteaClient,
				mainDomainSuffix,
				trimmedHost,
				pathElements,
				canonicalDomainCache)
		} else {
			log.Debug().Msg("custom domain request detecded")
			handleCustomDomain(log, ctx, giteaClient,
				mainDomainSuffix,
				trimmedHost,
				pathElements,
				dnsLookupCache, canonicalDomainCache)
		}
	}
}
move handler into its own package 2022-11-12 18:44:04 +01:00			`package handler`
dont access global vars inject them 2021-12-05 14:45:17 +01:00
			`import (`
rm cache from fasthttp 2022-07-27 17:25:08 +02:00			`"net/http"`
dont access global vars inject them 2021-12-05 14:45:17 +01:00			`"strings"`

inject all cache 2021-12-05 15:02:44 +01:00			`"github.com/rs/zerolog/log"`

dont access global vars inject them 2021-12-05 14:45:17 +01:00			`"codeberg.org/codeberg/pages/html"`
inject all cache 2021-12-05 15:02:44 +01:00			`"codeberg.org/codeberg/pages/server/cache"`
more string 2022-08-28 15:33:10 +02:00			`"codeberg.org/codeberg/pages/server/context"`
Move gitea api calls in own "client" package (#78) continue #75 close #16 - fix regression (from #34) _thanks to @crystal_ - create own gitea client package - more logging - add mock impl of CertDB Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: crystal <crystal@noreply.codeberg.org> Reviewed-on: https://codeberg.org/Codeberg/pages-server/pulls/78 Reviewed-by: crapStone <crapstone@noreply.codeberg.org> 2022-06-11 23:02:06 +02:00			`"codeberg.org/codeberg/pages/server/gitea"`
Release via CI (#94) * release via CI * general CI improvements close #76, close #92 Co-authored-by: 6543 <6543@obermui.de> Reviewed-on: https://codeberg.org/Codeberg/pages-server/pulls/94 2022-06-14 20:35:11 +02:00			`"codeberg.org/codeberg/pages/server/version"`
dont access global vars inject them 2021-12-05 14:45:17 +01:00			`)`

more string 2022-08-28 15:33:10 +02:00			`const (`
			`headerAccessControlAllowOrigin = "Access-Control-Allow-Origin"`
			`headerAccessControlAllowMethods = "Access-Control-Allow-Methods"`
			`)`

dont access global vars inject them 2021-12-05 14:45:17 +01:00			`// Handler handles a single HTTP request to the web server.`
more string 2022-08-28 16:21:37 +02:00			`func Handler(mainDomainSuffix, rawDomain string,`
Move gitea api calls in own "client" package (#78) continue #75 close #16 - fix regression (from #34) _thanks to @crystal_ - create own gitea client package - more logging - add mock impl of CertDB Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: crystal <crystal@noreply.codeberg.org> Reviewed-on: https://codeberg.org/Codeberg/pages-server/pulls/78 Reviewed-by: crapStone <crapstone@noreply.codeberg.org> 2022-06-11 23:02:06 +02:00			`giteaClient *gitea.Client,`
unwind tryBranch into own func 2022-11-12 02:54:56 +01:00			`rawInfoPage string,`
more string 2022-08-28 15:33:10 +02:00			`blacklistedPaths, allowedCorsDomains []string,`
more caching in-client 2022-07-27 15:39:46 +02:00			`dnsLookupCache, canonicalDomainCache cache.SetGetKey,`
rm cache from fasthttp 2022-07-27 17:25:08 +02:00			`) http.HandlerFunc {`
			`return func(w http.ResponseWriter, req *http.Request) {`
Merge branch 'main' into std-http 2022-08-28 14:35:27 +02:00			`log := log.With().Strs("Handler", []string{string(req.Host), req.RequestURI}).Logger()`
more string 2022-08-28 15:33:10 +02:00			`ctx := context.New(w, req)`
dont access global vars inject them 2021-12-05 14:45:17 +01:00
more string 2022-08-28 15:33:10 +02:00			`ctx.RespWriter.Header().Set("Server", "CodebergPages/"+version.Version)`
dont access global vars inject them 2021-12-05 14:45:17 +01:00
			`// Force new default from specification (since November 2020) - see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#strict-origin-when-cross-origin`
more string 2022-08-28 15:33:10 +02:00			`ctx.RespWriter.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")`
dont access global vars inject them 2021-12-05 14:45:17 +01:00
			`// Enable browser caching for up to 10 minutes`
more string 2022-08-28 15:33:10 +02:00			`ctx.RespWriter.Header().Set("Cache-Control", "public, max-age=600")`
dont access global vars inject them 2021-12-05 14:45:17 +01:00
split 2022-11-12 19:57:37 +01:00			`trimmedHost := ctx.TrimHostPort()`
dont access global vars inject them 2021-12-05 14:45:17 +01:00
			`// Add HSTS for RawDomain and MainDomainSuffix`
more log 2022-11-07 23:01:31 +01:00			`if hsts := getHSTSHeader(trimmedHost, mainDomainSuffix, rawDomain); hsts != "" {`
more string 2022-08-28 15:33:10 +02:00			`ctx.RespWriter.Header().Set("Strict-Transport-Security", hsts)`
dont access global vars inject them 2021-12-05 14:45:17 +01:00			`}`

deduplicate 2022-11-12 13:10:07 +01:00			`// Handle all http methods`
			`ctx.RespWriter.Header().Set("Allow", http.MethodGet+", "+http.MethodHead+", "+http.MethodOptions)`
			`switch ctx.Req.Method {`
			`case http.MethodOptions:`
			`// return Allow header`
			`ctx.RespWriter.WriteHeader(http.StatusNoContent)`
			`return`
			`case http.MethodGet,`
			`http.MethodHead:`
			`// end switch case and handle allowed requests`
			`break`
			`default:`
			`// Block all methods not required for static pages`
rm 2022-11-07 21:34:23 +01:00			`ctx.String("Method not allowed", http.StatusMethodNotAllowed)`
dont access global vars inject them 2021-12-05 14:45:17 +01:00			`return`
			`}`

			`// Block blacklisted paths (like ACME challenges)`
			`for _, blacklistedPath := range blacklistedPaths {`
more string 2022-08-28 15:33:10 +02:00			`if strings.HasPrefix(ctx.Path(), blacklistedPath) {`
improve & refactor & return specific error pages 2022-11-07 22:47:03 +01:00			`html.ReturnErrorPage(ctx, "requested blacklisted path", http.StatusForbidden)`
dont access global vars inject them 2021-12-05 14:45:17 +01:00			`return`
			`}`
			`}`

			`// Allow CORS for specified domains`
Fix CORS / add Access-Control-Allow-Origin * to all methods (#69) The header is not only necessary on the OPTIONS request, but on any method, so I removed the condition. Serving any workadventure map was broken BTW. We should have tested this :-( Reviewed-on: https://codeberg.org/Codeberg/pages-server/pulls/69 Reviewed-by: Andreas Shimokawa <ashimokawa@noreply.codeberg.org> Co-authored-by: Otto Richter <otto@codeberg.org> Co-committed-by: Otto Richter <otto@codeberg.org> 2022-04-10 18:11:00 +02:00			`allowCors := false`
			`for _, allowedCorsDomain := range allowedCorsDomains {`
more string 2022-08-28 16:21:37 +02:00			`if strings.EqualFold(trimmedHost, allowedCorsDomain) {`
Fix CORS / add Access-Control-Allow-Origin * to all methods (#69) The header is not only necessary on the OPTIONS request, but on any method, so I removed the condition. Serving any workadventure map was broken BTW. We should have tested this :-( Reviewed-on: https://codeberg.org/Codeberg/pages-server/pulls/69 Reviewed-by: Andreas Shimokawa <ashimokawa@noreply.codeberg.org> Co-authored-by: Otto Richter <otto@codeberg.org> Co-committed-by: Otto Richter <otto@codeberg.org> 2022-04-10 18:11:00 +02:00			`allowCors = true`
			`break`
dont access global vars inject them 2021-12-05 14:45:17 +01:00			`}`
Fix CORS / add Access-Control-Allow-Origin * to all methods (#69) The header is not only necessary on the OPTIONS request, but on any method, so I removed the condition. Serving any workadventure map was broken BTW. We should have tested this :-( Reviewed-on: https://codeberg.org/Codeberg/pages-server/pulls/69 Reviewed-by: Andreas Shimokawa <ashimokawa@noreply.codeberg.org> Co-authored-by: Otto Richter <otto@codeberg.org> Co-committed-by: Otto Richter <otto@codeberg.org> 2022-04-10 18:11:00 +02:00			`}`
			`if allowCors {`
more string 2022-08-28 15:33:10 +02:00			`ctx.RespWriter.Header().Set(headerAccessControlAllowOrigin, "*")`
			`ctx.RespWriter.Header().Set(headerAccessControlAllowMethods, http.MethodGet+", "+http.MethodHead)`
Fix CORS / add Access-Control-Allow-Origin * to all methods (#69) The header is not only necessary on the OPTIONS request, but on any method, so I removed the condition. Serving any workadventure map was broken BTW. We should have tested this :-( Reviewed-on: https://codeberg.org/Codeberg/pages-server/pulls/69 Reviewed-by: Andreas Shimokawa <ashimokawa@noreply.codeberg.org> Co-authored-by: Otto Richter <otto@codeberg.org> Co-committed-by: Otto Richter <otto@codeberg.org> 2022-04-10 18:11:00 +02:00			`}`
rm cache from fasthttp 2022-07-27 17:25:08 +02:00
dont access global vars inject them 2021-12-05 14:45:17 +01:00			`// Prepare request information to Gitea`
deduplicate 2022-11-12 14:08:08 +01:00			`pathElements := strings.Split(strings.Trim(ctx.Path(), "/"), "/")`
dont access global vars inject them 2021-12-05 14:45:17 +01:00
more string 2022-08-28 16:21:37 +02:00			`if rawDomain != "" && strings.EqualFold(trimmedHost, rawDomain) {`
split 2022-11-12 19:57:37 +01:00			`log.Debug().Msg("raw domain request detecded")`
			`handleRaw(log, ctx, giteaClient,`
			`mainDomainSuffix, rawInfoPage,`
			`trimmedHost,`
			`pathElements,`
			`canonicalDomainCache)`
more string 2022-08-28 16:21:37 +02:00			`} else if strings.HasSuffix(trimmedHost, mainDomainSuffix) {`
split 2022-11-12 19:57:37 +01:00			`log.Debug().Msg("subdomain request detecded")`
			`handleSubDomain(log, ctx, giteaClient,`
			`mainDomainSuffix,`
			`trimmedHost,`
			`pathElements,`
			`canonicalDomainCache)`
dont access global vars inject them 2021-12-05 14:45:17 +01:00			`} else {`
split 2022-11-12 19:57:37 +01:00			`log.Debug().Msg("custom domain request detecded")`
			`handleCustomDomain(log, ctx, giteaClient,`
			`mainDomainSuffix,`
			`trimmedHost,`
			`pathElements,`
			`dnsLookupCache, canonicalDomainCache)`
dont access global vars inject them 2021-12-05 14:45:17 +01:00			`}`
			`}`
			`}`