abonerib/nix-serve-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: abonerib:d676436e3883340ef6a4250562758150a32cee33
Branches Tags
abonerib:main
...
compare: abonerib:8b962f1c4470d08ecfa28735bdb68849ec3110ee
Branches Tags
abonerib:main

2 Commits
d676436e38 ... 8b962f1c44

Author SHA1 Message Date
Aleix Boné
8b962f1c44
Add debug output 2025-10-03 17:48:14 +02:00
Aleix Boné
85e97b5260
Do not serve derivations with /.private 2025-10-03 17:42:54 +02:00
2 changed files with 30 additions and 0 deletions
Show Stats Expand all files Collapse all files

1
nix-serve-ng.cabal
View File

@ -48,6 +48,7 @@ executable nix-serve
, base32 , base32
, bytestring , bytestring
, charset , charset
, directory
, http-types , http-types
, managed , managed
, megaparsec , megaparsec

29
src/Main.hs
View File

@ -6,6 +6,8 @@
module Main where module Main where
import Debug.Trace
import Control.Monad.IO.Class (liftIO) import Control.Monad.IO.Class (liftIO)
import Data.ByteString (ByteString) import Data.ByteString (ByteString)
import Data.CharSet.ByteSet (ByteSet(..)) import Data.CharSet.ByteSet (ByteSet(..))
@ -35,6 +37,7 @@ import qualified Network.Wai.Middleware.RequestLogger as RequestLogger
import qualified Nix import qualified Nix
import qualified Options import qualified Options
import qualified Options.Applicative as Options import qualified Options.Applicative as Options
import qualified System.Directory as Directory
import qualified System.Environment as Environment import qualified System.Environment as Environment
data ApplicationOptions = ApplicationOptions data ApplicationOptions = ApplicationOptions
@ -250,6 +253,32 @@ makeApplication ApplicationOptions{..} request respond = do
done response done response
isPrivate <- not <$> liftIO (Directory.doesPathExist (ByteString.Char8.unpack storePath ++ "/.private"))
let sockAddr = Wai.remoteHost request
hostAddr <- case sockAddr of
SockAddrInet _ host -> return host
_ -> return $ Socket.tupleToHostAddress (255, 255, 255, 255)
let isInternalClient = hostAddr >= Socket.tupleToHostAddress (10, 0, 0, 0) && hostAddr < Socket.tupleToHostAddress (11, 0, 0, 0)
traceM $ show (ByteString.Char8.unpack storePath, "private", isPrivate,
"host", hostAddr,
"isInternalClient", isInternalClient
)
Monad.unless (isInternalClient || not isPrivate) do
let headers = [ ("Content-Type", "text/plain") ]
let builder = "Forbbiden.\n"
let response =
Wai.responseBuilder
Types.status403
headers
builder
done response
let streamingBody write flush = do let streamingBody write flush = do
result <- Nix.dumpPath hashPart callback result <- Nix.dumpPath hashPart callback