TildeClub/site
TildeClub
/
site
mirror of https://github.com/tildeclub/site.git
1
1
Fork 1
Code Issues Packages Projects Releases Wiki Activity
site/blocks/index.php

267 lines
8.1 KiB
PHP
Raw Normal View History

forgot a few files in last push.
2025-09-29 20:11:26 +00:00
<?php
declare(strict_types=1);
/**
* CSF deny list JSON API
* - Outputs only JSON
* - Locked down by IP allowlist (and optional token)
* - Parses:
* - Single IP or CIDR (v4/v6), with optional trailing comment
* - Advanced rules: proto(s)|in/out|s/d=port(s)|s/d=ip
*/
////////////////////////////
// Bootstrap & headers
////////////////////////////
header('Content-Type: application/json; charset=utf-8');
header('X-Content-Type-Options: nosniff');
header('Referrer-Policy: no-referrer');
header('Cache-Control: no-store');
$env = loadEnv(__DIR__.'/.env');
$env += [
'APP_ENV' => 'prod',
'DENY_FILE' => '/etc/csf/csf.deny', // or full path to ".csfdeny"
'ALLOW_IPS' => '', // comma-separated allowlist
'TRUST_PROXY' => '0', // "1" to respect X-Forwarded-For from trusted proxies
'TRUSTED_PROXIES'=> '', // comma-separated IPs/CIDRs of proxies
'API_TOKEN' => '', // optional shared token
];
if (($env['APP_ENV'] ?? 'prod') !== 'dev') {
ini_set('display_errors', '0');
ini_set('log_errors', '1');
}
////////////////////////////
// Access control
////////////////////////////
$clientIp = resolveClientIp((bool)intval($env['TRUST_PROXY']), $env['TRUSTED_PROXIES']);
if (!ipAllowed($clientIp, $env['ALLOW_IPS'])) {
http_response_code(403);
echo json_encode(['error' => 'forbidden', 'reason' => 'ip_not_allowed', 'client_ip' => $clientIp], JSON_UNESCAPED_SLASHES);
exit;
}
if (($env['API_TOKEN'] ?? '') !== '' && !hash_equals($env['API_TOKEN'], $_SERVER['HTTP_X_API_TOKEN'] ?? '')) {
http_response_code(403);
echo json_encode(['error' => 'forbidden', 'reason' => 'bad_token'], JSON_UNESCAPED_SLASHES);
exit;
}
////////////////////////////
// Read & parse deny file
////////////////////////////
$file = $env['DENY_FILE'];
if (!is_readable($file)) {
http_response_code(500);
echo json_encode(['error' => 'unreadable_file', 'path' => $file], JSON_UNESCAPED_SLASHES);
exit;
}
$lines = file($file, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES) ?: [];
$entries = [];
foreach ($lines as $rawLine) {
$line = trim($rawLine);
if ($line === '' || str_starts_with($line, '#')) {
continue;
}
// Split off trailing comment after a space + '#'
$comment = null;
$hashPos = strpos($line, ' #');
if ($hashPos !== false) {
$comment = trim(substr($line, $hashPos + 2));
$line = trim(substr($line, 0, $hashPos));
}
$parsed = parseCsfLine($line);
if ($parsed !== null) {
$parsed['raw'] = $rawLine;
if ($comment !== null) {
$parsed['comment'] = $comment;
}
$entries[] = $parsed;
}
}
////////////////////////////
// Output
////////////////////////////
echo json_encode([
'generated_at' => gmdate('c'),
'source' => realpath($file) ?: $file,
'count' => count($entries),
'entries' => $entries,
], JSON_UNESCAPED_SLASHES);
/* -------------------- helpers -------------------- */
function loadEnv(string $path): array
{
$out = [];
if (!is_file($path) || !is_readable($path)) {
return $out;
}
foreach (file($path, FILE_IGNORE_NEW_LINES) ?: [] as $l) {
$l = trim($l);
if ($l === '' || str_starts_with($l, '#')) { continue; }
if (!str_contains($l, '=')) { continue; }
[$k, $v] = array_map('trim', explode('=', $l, 2));
$v = trim($v, " \t\n\r\0\x0B\"'");
$out[$k] = $v;
}
return $out;
}
function resolveClientIp(bool $trustProxy, string $trustedProxiesCsv): string
{
$remote = $_SERVER['REMOTE_ADDR'] ?? '';
if (!$trustProxy) {
return $remote;
}
$proxyList = array_filter(array_map('trim', explode(',', $trustedProxiesCsv ?: '')));
// If the REMOTE_ADDR is not a trusted proxy, ignore forwarded headers
if (!ipAllowed($remote, implode(',', $proxyList))) {
return $remote;
}
$xff = $_SERVER['HTTP_X_FORWARDED_FOR'] ?? '';
if ($xff === '') {
return $remote;
}
// pick the first IP in XFF chain
$first = trim(explode(',', $xff)[0]);
return filter_var($first, FILTER_VALIDATE_IP) ? $first : $remote;
}
function ipAllowed(string $ip, string $allowCsv): bool
{
if ($allowCsv === '') {
return false;
}
$allow = array_filter(array_map('trim', explode(',', $allowCsv)));
foreach ($allow as $cidrOrIp) {
if ($cidrOrIp === '') { continue; }
if (str_contains($cidrOrIp, '/')) {
if (ipInCidr($ip, $cidrOrIp)) { return true; }
} else {
if (hash_equals($cidrOrIp, $ip)) { return true; }
}
}
return false;
}
function parseCsfLine(string $line): ?array
{
// If it contains pipes, treat as advanced rule
if (str_contains($line, '|')) {
$parts = array_map('trim', explode('|', $line));
if (count($parts) < 2) {
return null;
}
// proto(s)
$protoRaw = strtolower($parts[0]);
$protocols = array_filter(array_map('trim', explode('/', $protoRaw)));
// direction
$direction = strtolower($parts[1] ?? '');
$srcIp = $dstIp = null;
$srcPorts = $dstPorts = [];
for ($i = 2; $i < count($parts); $i++) {
$kv = explode('=', $parts[$i], 2);
if (count($kv) !== 2) { continue; }
[$key, $val] = [strtolower(trim($kv[0])), trim($kv[1])];
if ($key === 's' || $key === 'src') {
// src may be IP/CIDR or port list
if (looksLikeIpOrCidr($val)) {
$srcIp = $val;
} else {
$srcPorts = parsePortList($val);
}
} elseif ($key === 'd' || $key === 'dst') {
if (looksLikeIpOrCidr($val)) {
$dstIp = $val;
} else {
$dstPorts = parsePortList($val);
}
}
}
return [
'type' => 'rule',
'protocols' => $protocols ?: ['tcp'],
'direction' => in_array($direction, ['in','out'], true) ? $direction : 'in',
'ports' => ['source' => $srcPorts, 'dest' => $dstPorts],
'source_ip' => $srcIp,
'dest_ip' => $dstIp,
];
}
// Plain IP or CIDR
if (looksLikeIpOrCidr($line)) {
// split ip/cidr
$ip = $line;
$cidr = null;
if (str_contains($line, '/')) {
[$ip, $mask] = explode('/', $line, 2);
$ip = trim($ip);
$cidr = (string)intval($mask);
}
if (!filter_var($ip, FILTER_VALIDATE_IP)) {
return null;
}
return [
'type' => ($cidr !== null ? 'cidr' : 'ip'),
'ip' => $ip,
'cidr' => $cidr,
];
}
return null;
}
function looksLikeIpOrCidr(string $val): bool
{
if (str_contains($val, '/')) {
[$ip, $mask] = explode('/', $val, 2);
return (bool)filter_var($ip, FILTER_VALIDATE_IP) && ctype_digit($mask);
}
return (bool)filter_var($val, FILTER_VALIDATE_IP);
}
function parsePortList(string $val): array
{
$out = [];
foreach (explode(',', $val) as $p) {
$p = trim($p);
if ($p === '') { continue; }
// keep ranges as raw strings (e.g., "1000:2000"), normalize digits
if (preg_match('/^\d+(:\d+)?$/', $p)) {
$out[] = $p;
}
}
return $out;
}
function ipInCidr(string $ip, string $cidr): bool
{
[$subnet, $maskBits] = explode('/', $cidr, 2);
$maskBits = (int)$maskBits;
$ipBin = @inet_pton($ip);
$subnetBin = @inet_pton($subnet);
if ($ipBin === false || $subnetBin === false) {
return false;
}
$len = strlen($ipBin);
if ($len !== strlen($subnetBin)) {
return false; // v4 vs v6 mismatch
}
$bytes = intdiv($maskBits, 8);
$remainder = $maskBits % 8;
if ($bytes > 0 && substr($ipBin, 0, $bytes) !== substr($subnetBin, 0, $bytes)) {
return false;
}
if ($remainder === 0) {
return true;
}
$mask = chr(0xFF << (8 - $remainder) & 0xFF);
return (ord($ipBin[$bytes]) & ord($mask)) === (ord($subnetBin[$bytes]) & ord($mask));
}