Prevent direct requests with X-Imgproxy-Secret header

2025-01-03 10:43:58 +02:00 · 2017-07-02 03:25:08 +06:00 · 2017-07-02 03:25:08 +06:00 · fa5cf7045e
commit fa5cf7045e
parent 69b607cd98
2 changed files with 21 additions and 0 deletions
--- a/config.go
+++ b/config.go
@ -70,6 +70,8 @@ type config struct {

 	Key  []byte
 	Salt []byte
+
+	Secret string
 }

 var conf = config{
@ -101,6 +103,8 @@ func init() {
 	hexFileConfig(&conf.Key, *keypath)
 	hexFileConfig(&conf.Salt, *saltpath)

+	strEnvConfig(&conf.Secret, "IMGPROXY_SECRET")
+
 	if len(conf.Key) == 0 {
 		log.Fatalln("Key is not defined")
 	}
--- a/server.go
+++ b/server.go
@ -3,6 +3,7 @@ package main
 import (
 	"bytes"
 	"compress/gzip"
+	"crypto/subtle"
 	"encoding/base64"
 	"errors"
 	"fmt"
@ -116,9 +117,25 @@ func respondWithError(rw http.ResponseWriter, status int, err error, msg string)
 	rw.Write([]byte(msg))
 }

+func repondWithForbidden(rw http.ResponseWriter) {
+	logResponse(403, "Invalid secret")
+
+	rw.WriteHeader(403)
+	rw.Write([]byte("Forbidden"))
+}
+
+func checkSecret(s string) bool {
+	return len(conf.Secret) == 0 || subtle.ConstantTimeCompare([]byte(s), []byte(conf.Secret)) == 1
+}
+
 func (h httpHandler) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
 	log.Printf("GET: %s\n", r.URL.RequestURI())

+	if !checkSecret(r.Header.Get("X-Imgproxy-Secret")) {
+		repondWithForbidden(rw)
+		return
+	}
+
 	imgURL, procOpt, err := parsePath(r)
 	if err != nil {
 		respondWithError(rw, 404, err, "Invalid image url")