diff --git a/nix-serve-ng.cabal b/nix-serve-ng.cabal index d824e4d..b8d8c41 100644 --- a/nix-serve-ng.cabal +++ b/nix-serve-ng.cabal @@ -48,6 +48,7 @@ executable nix-serve , base32 , bytestring , charset + , directory , http-types , managed , megaparsec diff --git a/src/Main.hs b/src/Main.hs index f7f354d..f77f4ba 100644 --- a/src/Main.hs +++ b/src/Main.hs @@ -35,6 +35,7 @@ import qualified Network.Wai.Middleware.RequestLogger as RequestLogger import qualified Nix import qualified Options import qualified Options.Applicative as Options +import qualified System.Directory as Directory import qualified System.Environment as Environment data ApplicationOptions = ApplicationOptions @@ -250,6 +251,28 @@ makeApplication ApplicationOptions{..} request respond = do done response + isPrivate <- not <$> liftIO (Directory.doesPathExist (ByteString.Char8.unpack storePath ++ "/.private")) + let sockAddr = Wai.remoteHost request + hostAddr <- case sockAddr of + SockAddrInet _ host -> return host + _ -> return $ Socket.tupleToHostAddress (255, 255, 255, 255) + + let isInternalClient = hostAddr >= Socket.tupleToHostAddress (10, 0, 0, 0) && hostAddr < Socket.tupleToHostAddress (11, 0, 0, 0) + + Monad.unless (isInternalClient || not isPrivate) do + let headers = [ ("Content-Type", "text/plain") ] + + let builder = "Forbbiden.\n" + + let response = + Wai.responseBuilder + Types.status403 + headers + builder + + done response + + let streamingBody write flush = do result <- Nix.dumpPath hashPart callback