feat(security): add trusted proxies and abuse event cleanup

- Add `WARPBOX_TRUSTED_PROXIES` configuration to restrict accepted forwarded client IP headers to specific proxy IPs/CIDRs, securing client IP resolution. - Integrate `BanService` into the background cleanup job to automatically purge expired abuse and ban evidence events. - Update documentation with reverse proxy security guidelines and a production systemd deployment guide.
2026-05-31 21:52:56 +03:00
parent 2d04a42736
commit 10ed806153
38 changed files with 2310 additions and 43 deletions
--- a/backend/libs/middleware/bans.go
+++ b/backend/libs/middleware/bans.go
@@ -0,0 +1,65 @@
+package middleware
+
+import (
+	"log/slog"
+	"net/http"
+	"time"
+
+	"warpbox.dev/backend/libs/services"
+)
+
+func Bans(logger *slog.Logger, bans *services.BanService, trustedProxies []string) Middleware {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			ip := services.ClientIP(r.RemoteAddr, r.Header.Get("X-Forwarded-For"), r.Header.Get("X-Real-IP"), trustedProxies)
+			r = services.WithClientIP(r, ip)
+			now := time.Now().UTC()
+
+			if bans != nil {
+				if matched, ok, err := bans.Match(ip, now); err != nil {
+					logger.Error("ban match failed", "source", "ban", "severity", "error", "code", 5001, "ip", ip, "error", err.Error())
+				} else if ok {
+					logger.Warn("banned request blocked", "source", "ban", "severity", "warn", "code", 4030, "ip", ip, "ban_id", matched.Ban.ID, "target", matched.Ban.Normalized, "path", r.URL.Path)
+					w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+					w.WriteHeader(http.StatusForbidden)
+					_, _ = w.Write([]byte("forbidden\n"))
+					return
+				}
+
+				if pattern, err := bans.MaliciousPattern(r.URL.Path); err != nil {
+					logger.Error("malicious path check failed", "source", "ban", "severity", "error", "code", 5002, "ip", ip, "error", err.Error())
+				} else if pattern != "" {
+					if result, err := bans.RecordAbuse(ip, services.AbuseKindMaliciousPath, r.URL.Path, banThreshold(bans, services.AbuseKindMaliciousPath), now); err != nil {
+						logger.Error("malicious path event failed", "source", "ban", "severity", "error", "code", 5003, "ip", ip, "path", r.URL.Path, "error", err.Error())
+					} else if result.Enabled {
+						logger.Warn("malicious path requested", "source", "ban", "severity", "warn", "code", 4302, "ip", ip, "path", r.URL.Path, "pattern", pattern, "count", result.Event.Count)
+						if result.Triggered {
+							logger.Warn("ip auto-banned for malicious path", "source", "ban", "severity", "warn", "code", 4303, "ip", ip, "ban_id", result.Ban.ID, "path", r.URL.Path)
+							w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+							w.WriteHeader(http.StatusForbidden)
+							_, _ = w.Write([]byte("forbidden\n"))
+							return
+						}
+					}
+				}
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+func banThreshold(bans *services.BanService, kind string) int {
+	settings, err := bans.Settings()
+	if err != nil {
+		return 0
+	}
+	switch kind {
+	case services.AbuseKindAdminLogin:
+		return settings.AdminLoginFailureThreshold
+	case services.AbuseKindUserLogin:
+		return settings.UserLoginFailureThreshold
+	default:
+		return settings.MaliciousPathThreshold
+	}
+}
--- a/backend/libs/middleware/bans_test.go
+++ b/backend/libs/middleware/bans_test.go
@@ -0,0 +1,99 @@
+package middleware
+
+import (
+	"io"
+	"log/slog"
+	"net/http"
+	"net/http/httptest"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"warpbox.dev/backend/libs/services"
+)
+
+func TestBansMiddlewareBlocksActiveBan(t *testing.T) {
+	bans := newMiddlewareBanService(t)
+	if _, err := bans.CreateManualBan("203.0.113.20", "test", "admin", time.Now().UTC().Add(time.Hour)); err != nil {
+		t.Fatalf("CreateManualBan returned error: %v", err)
+	}
+	handler := Chain(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Fatal("next handler should not be called")
+	}), Bans(slog.New(slog.NewTextHandler(io.Discard, nil)), bans, nil))
+
+	request := httptest.NewRequest(http.MethodGet, "/", nil)
+	request.RemoteAddr = "127.0.0.1:6070"
+	request.Header.Set("X-Forwarded-For", "203.0.113.20")
+	response := httptest.NewRecorder()
+	handler.ServeHTTP(response, request)
+
+	if response.Code != http.StatusForbidden || response.Body.String() != "forbidden\n" {
+		t.Fatalf("blocked response = %d %q", response.Code, response.Body.String())
+	}
+}
+
+func TestBansMiddlewareAllowsNonBannedIP(t *testing.T) {
+	bans := newMiddlewareBanService(t)
+	called := false
+	handler := Chain(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		called = true
+		_, _ = io.WriteString(w, "ok")
+	}), Bans(slog.New(slog.NewTextHandler(io.Discard, nil)), bans, nil))
+
+	request := httptest.NewRequest(http.MethodGet, "/", nil)
+	request.RemoteAddr = "203.0.113.21:6070"
+	response := httptest.NewRecorder()
+	handler.ServeHTTP(response, request)
+
+	if !called || response.Code != http.StatusOK {
+		t.Fatalf("allowed response = called %v code %d", called, response.Code)
+	}
+}
+
+func TestBansMiddlewareAutoBansMaliciousPaths(t *testing.T) {
+	bans := newMiddlewareBanService(t)
+	settings, err := bans.Settings()
+	if err != nil {
+		t.Fatalf("Settings returned error: %v", err)
+	}
+	settings.AutoBanEnabled = true
+	settings.MaliciousPathThreshold = 3
+	if err := bans.UpdateSettings(settings); err != nil {
+		t.Fatalf("UpdateSettings returned error: %v", err)
+	}
+	handler := Chain(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.NotFound(w, r)
+	}), Bans(slog.New(slog.NewTextHandler(io.Discard, nil)), bans, nil))
+
+	for i := 0; i < 3; i++ {
+		request := httptest.NewRequest(http.MethodGet, "/.env", nil)
+		request.RemoteAddr = "203.0.113.22:6070"
+		response := httptest.NewRecorder()
+		handler.ServeHTTP(response, request)
+		if i < 2 && response.Code == http.StatusForbidden {
+			t.Fatalf("request %d blocked before threshold", i+1)
+		}
+		if i == 2 && response.Code != http.StatusForbidden {
+			t.Fatalf("request 3 status = %d, want forbidden", response.Code)
+		}
+	}
+}
+
+func newMiddlewareBanService(t *testing.T) *services.BanService {
+	t.Helper()
+	root := t.TempDir()
+	upload, err := services.NewUploadService(1024*1024, filepath.Join(root, "data"), "http://example.test", slog.Default())
+	if err != nil {
+		t.Fatalf("NewUploadService returned error: %v", err)
+	}
+	t.Cleanup(func() {
+		if err := upload.Close(); err != nil {
+			t.Fatalf("Close returned error: %v", err)
+		}
+	})
+	bans, err := services.NewBanService(upload.DB())
+	if err != nil {
+		t.Fatalf("NewBanService returned error: %v", err)
+	}
+	return bans
+}