abonerib/nix-serve-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: abonerib:9c056641300a826db66b66d7e584b2541d38927a
Branches Tags
abonerib:main
..
compare: abonerib:b4fac5ab8c85916b3c331cf2e7d23f881d561905
Branches Tags
abonerib:main

4 Commits
9c05664130 ... b4fac5ab8c

Author SHA1 Message Date
Aleix Boné
b4fac5ab8c
Set X-Private header for private derivations 2025-10-07 11:29:01 +02:00
Aleix Boné
6c6b5d3377
Add debug output 2025-10-07 11:06:02 +02:00
Aleix Boné
70cd4f1ec5
Do not serve derivations with /nix-support/private 2025-10-07 11:06:02 +02:00
Aleix Boné
a098861c8d
Sample package 2025-10-07 11:06:02 +02:00
1 changed files with 1 additions and 35 deletions
Show Stats Expand all files Collapse all files

36
src/Main.hs
View File

@ -12,7 +12,6 @@ import Control.Monad.IO.Class (liftIO)
import Data.ByteString (ByteString) import Data.ByteString (ByteString)
import Data.CharSet.ByteSet (ByteSet(..)) import Data.CharSet.ByteSet (ByteSet(..))
import Data.Function ((&)) import Data.Function ((&))
import Data.Word (Word8)
import Network.Socket (SockAddr(..)) import Network.Socket (SockAddr(..))
import Network.Wai (Application) import Network.Wai (Application)
import Nix (NoSuchPath(..), PathInfo(..)) import Nix (NoSuchPath(..), PathInfo(..))
@ -58,20 +57,6 @@ validHashPartBytes =
<> [ 0x76 .. 0x7A ] -- vwxyz <> [ 0x76 .. 0x7A ] -- vwxyz
) )
type HostAddressTuple = (Word8, Word8, Word8, Word8)
isInWhitelist :: Socket.HostAddress -> Bool
isInWhitelist host = any (uncurry (inRange $ Socket.hostAddressToTuple host)) allowedIPs
where
allowedIPs :: [(HostAddressTuple, HostAddressTuple)]
allowedIPs = [
((127,0,0,1), (127,0,0,1)),
((10,0,0,1), (10,255,255,254)),
((192,168,72,1), (192,168,79,254))
]
inRange ip a b = ip >= a && ip <= b
validHashPart :: ByteString -> Bool validHashPart :: ByteString -> Bool
validHashPart hash = ByteString.all (`ByteSet.member` validHashPartBytes) hash validHashPart hash = ByteString.all (`ByteSet.member` validHashPartBytes) hash
@ -271,27 +256,8 @@ makeApplication ApplicationOptions{..} request respond = do
let privateFilePath = ByteString.Char8.unpack storePath ++ "/nix-support/private" let privateFilePath = ByteString.Char8.unpack storePath ++ "/nix-support/private"
isPrivate <- liftIO $ Directory.doesPathExist privateFilePath isPrivate <- liftIO $ Directory.doesPathExist privateFilePath
let isLocal = case Wai.remoteHost request of
SockAddrInet _ host -> isInWhitelist host
_ -> False
traceM $ show (Wai.remoteHost request, isLocal)
traceM $ show (privateFilePath, isPrivate) traceM $ show (privateFilePath, isPrivate)
Monad.when (isPrivate && not isLocal) do
let headers = [ ("Content-Type", "text/plain") ]
let builder = "Forbidden.\n"
let response =
Wai.responseBuilder
Types.status403
headers
builder
done response
let streamingBody write flush = do let streamingBody write flush = do
result <- Nix.dumpPath hashPart callback result <- Nix.dumpPath hashPart callback
@ -303,7 +269,7 @@ makeApplication ApplicationOptions{..} request respond = do
() <- write builder () <- write builder
flush flush
let headers = [ ("Content-Type", "text/plain") ] let headers = [ ("Content-Type", "text/plain") ] <> [("X-Private", "true") | isPrivate]
let response = let response =
Wai.responseStream Types.status200 headers streamingBody Wai.responseStream Types.status200 headers streamingBody