mirror of https://github.com/tildeclub/site.git
267 lines
8.1 KiB
PHP
267 lines
8.1 KiB
PHP
<?php
|
|
declare(strict_types=1);
|
|
|
|
/**
|
|
* CSF deny list JSON API
|
|
* - Outputs only JSON
|
|
* - Locked down by IP allowlist (and optional token)
|
|
* - Parses:
|
|
* - Single IP or CIDR (v4/v6), with optional trailing comment
|
|
* - Advanced rules: proto(s)|in/out|s/d=port(s)|s/d=ip
|
|
*/
|
|
|
|
////////////////////////////
|
|
// Bootstrap & headers
|
|
////////////////////////////
|
|
header('Content-Type: application/json; charset=utf-8');
|
|
header('X-Content-Type-Options: nosniff');
|
|
header('Referrer-Policy: no-referrer');
|
|
header('Cache-Control: no-store');
|
|
|
|
$env = loadEnv(__DIR__.'/.env');
|
|
$env += [
|
|
'APP_ENV' => 'prod',
|
|
'DENY_FILE' => '/etc/csf/csf.deny', // or full path to ".csfdeny"
|
|
'ALLOW_IPS' => '', // comma-separated allowlist
|
|
'TRUST_PROXY' => '0', // "1" to respect X-Forwarded-For from trusted proxies
|
|
'TRUSTED_PROXIES'=> '', // comma-separated IPs/CIDRs of proxies
|
|
'API_TOKEN' => '', // optional shared token
|
|
];
|
|
|
|
if (($env['APP_ENV'] ?? 'prod') !== 'dev') {
|
|
ini_set('display_errors', '0');
|
|
ini_set('log_errors', '1');
|
|
}
|
|
////////////////////////////
|
|
// Access control
|
|
////////////////////////////
|
|
$clientIp = resolveClientIp((bool)intval($env['TRUST_PROXY']), $env['TRUSTED_PROXIES']);
|
|
if (!ipAllowed($clientIp, $env['ALLOW_IPS'])) {
|
|
http_response_code(403);
|
|
echo json_encode(['error' => 'forbidden', 'reason' => 'ip_not_allowed', 'client_ip' => $clientIp], JSON_UNESCAPED_SLASHES);
|
|
exit;
|
|
}
|
|
if (($env['API_TOKEN'] ?? '') !== '' && !hash_equals($env['API_TOKEN'], $_SERVER['HTTP_X_API_TOKEN'] ?? '')) {
|
|
http_response_code(403);
|
|
echo json_encode(['error' => 'forbidden', 'reason' => 'bad_token'], JSON_UNESCAPED_SLASHES);
|
|
exit;
|
|
}
|
|
|
|
////////////////////////////
|
|
// Read & parse deny file
|
|
////////////////////////////
|
|
$file = $env['DENY_FILE'];
|
|
if (!is_readable($file)) {
|
|
http_response_code(500);
|
|
echo json_encode(['error' => 'unreadable_file', 'path' => $file], JSON_UNESCAPED_SLASHES);
|
|
exit;
|
|
}
|
|
|
|
$lines = file($file, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES) ?: [];
|
|
$entries = [];
|
|
foreach ($lines as $rawLine) {
|
|
$line = trim($rawLine);
|
|
if ($line === '' || str_starts_with($line, '#')) {
|
|
continue;
|
|
}
|
|
// Split off trailing comment after a space + '#'
|
|
$comment = null;
|
|
$hashPos = strpos($line, ' #');
|
|
if ($hashPos !== false) {
|
|
$comment = trim(substr($line, $hashPos + 2));
|
|
$line = trim(substr($line, 0, $hashPos));
|
|
}
|
|
|
|
$parsed = parseCsfLine($line);
|
|
if ($parsed !== null) {
|
|
$parsed['raw'] = $rawLine;
|
|
if ($comment !== null) {
|
|
$parsed['comment'] = $comment;
|
|
}
|
|
$entries[] = $parsed;
|
|
}
|
|
}
|
|
|
|
////////////////////////////
|
|
// Output
|
|
////////////////////////////
|
|
echo json_encode([
|
|
'generated_at' => gmdate('c'),
|
|
'source' => realpath($file) ?: $file,
|
|
'count' => count($entries),
|
|
'entries' => $entries,
|
|
], JSON_UNESCAPED_SLASHES);
|
|
|
|
/* -------------------- helpers -------------------- */
|
|
|
|
function loadEnv(string $path): array
|
|
{
|
|
$out = [];
|
|
if (!is_file($path) || !is_readable($path)) {
|
|
return $out;
|
|
}
|
|
foreach (file($path, FILE_IGNORE_NEW_LINES) ?: [] as $l) {
|
|
$l = trim($l);
|
|
if ($l === '' || str_starts_with($l, '#')) { continue; }
|
|
if (!str_contains($l, '=')) { continue; }
|
|
[$k, $v] = array_map('trim', explode('=', $l, 2));
|
|
$v = trim($v, " \t\n\r\0\x0B\"'");
|
|
$out[$k] = $v;
|
|
}
|
|
return $out;
|
|
}
|
|
|
|
function resolveClientIp(bool $trustProxy, string $trustedProxiesCsv): string
|
|
{
|
|
$remote = $_SERVER['REMOTE_ADDR'] ?? '';
|
|
if (!$trustProxy) {
|
|
return $remote;
|
|
}
|
|
$proxyList = array_filter(array_map('trim', explode(',', $trustedProxiesCsv ?: '')));
|
|
// If the REMOTE_ADDR is not a trusted proxy, ignore forwarded headers
|
|
if (!ipAllowed($remote, implode(',', $proxyList))) {
|
|
return $remote;
|
|
}
|
|
$xff = $_SERVER['HTTP_X_FORWARDED_FOR'] ?? '';
|
|
if ($xff === '') {
|
|
return $remote;
|
|
}
|
|
// pick the first IP in XFF chain
|
|
$first = trim(explode(',', $xff)[0]);
|
|
return filter_var($first, FILTER_VALIDATE_IP) ? $first : $remote;
|
|
}
|
|
|
|
function ipAllowed(string $ip, string $allowCsv): bool
|
|
{
|
|
if ($allowCsv === '') {
|
|
return false;
|
|
}
|
|
$allow = array_filter(array_map('trim', explode(',', $allowCsv)));
|
|
foreach ($allow as $cidrOrIp) {
|
|
if ($cidrOrIp === '') { continue; }
|
|
if (str_contains($cidrOrIp, '/')) {
|
|
if (ipInCidr($ip, $cidrOrIp)) { return true; }
|
|
} else {
|
|
if (hash_equals($cidrOrIp, $ip)) { return true; }
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
function parseCsfLine(string $line): ?array
|
|
{
|
|
// If it contains pipes, treat as advanced rule
|
|
if (str_contains($line, '|')) {
|
|
$parts = array_map('trim', explode('|', $line));
|
|
if (count($parts) < 2) {
|
|
return null;
|
|
}
|
|
// proto(s)
|
|
$protoRaw = strtolower($parts[0]);
|
|
$protocols = array_filter(array_map('trim', explode('/', $protoRaw)));
|
|
// direction
|
|
$direction = strtolower($parts[1] ?? '');
|
|
$srcIp = $dstIp = null;
|
|
$srcPorts = $dstPorts = [];
|
|
|
|
for ($i = 2; $i < count($parts); $i++) {
|
|
$kv = explode('=', $parts[$i], 2);
|
|
if (count($kv) !== 2) { continue; }
|
|
[$key, $val] = [strtolower(trim($kv[0])), trim($kv[1])];
|
|
if ($key === 's' || $key === 'src') {
|
|
// src may be IP/CIDR or port list
|
|
if (looksLikeIpOrCidr($val)) {
|
|
$srcIp = $val;
|
|
} else {
|
|
$srcPorts = parsePortList($val);
|
|
}
|
|
} elseif ($key === 'd' || $key === 'dst') {
|
|
if (looksLikeIpOrCidr($val)) {
|
|
$dstIp = $val;
|
|
} else {
|
|
$dstPorts = parsePortList($val);
|
|
}
|
|
}
|
|
}
|
|
return [
|
|
'type' => 'rule',
|
|
'protocols' => $protocols ?: ['tcp'],
|
|
'direction' => in_array($direction, ['in','out'], true) ? $direction : 'in',
|
|
'ports' => ['source' => $srcPorts, 'dest' => $dstPorts],
|
|
'source_ip' => $srcIp,
|
|
'dest_ip' => $dstIp,
|
|
];
|
|
}
|
|
|
|
// Plain IP or CIDR
|
|
if (looksLikeIpOrCidr($line)) {
|
|
// split ip/cidr
|
|
$ip = $line;
|
|
$cidr = null;
|
|
if (str_contains($line, '/')) {
|
|
[$ip, $mask] = explode('/', $line, 2);
|
|
$ip = trim($ip);
|
|
$cidr = (string)intval($mask);
|
|
}
|
|
if (!filter_var($ip, FILTER_VALIDATE_IP)) {
|
|
return null;
|
|
}
|
|
return [
|
|
'type' => ($cidr !== null ? 'cidr' : 'ip'),
|
|
'ip' => $ip,
|
|
'cidr' => $cidr,
|
|
];
|
|
}
|
|
|
|
return null;
|
|
}
|
|
|
|
function looksLikeIpOrCidr(string $val): bool
|
|
{
|
|
if (str_contains($val, '/')) {
|
|
[$ip, $mask] = explode('/', $val, 2);
|
|
return (bool)filter_var($ip, FILTER_VALIDATE_IP) && ctype_digit($mask);
|
|
}
|
|
return (bool)filter_var($val, FILTER_VALIDATE_IP);
|
|
}
|
|
|
|
function parsePortList(string $val): array
|
|
{
|
|
$out = [];
|
|
foreach (explode(',', $val) as $p) {
|
|
$p = trim($p);
|
|
if ($p === '') { continue; }
|
|
// keep ranges as raw strings (e.g., "1000:2000"), normalize digits
|
|
if (preg_match('/^\d+(:\d+)?$/', $p)) {
|
|
$out[] = $p;
|
|
}
|
|
}
|
|
return $out;
|
|
}
|
|
|
|
function ipInCidr(string $ip, string $cidr): bool
|
|
{
|
|
[$subnet, $maskBits] = explode('/', $cidr, 2);
|
|
$maskBits = (int)$maskBits;
|
|
$ipBin = @inet_pton($ip);
|
|
$subnetBin = @inet_pton($subnet);
|
|
if ($ipBin === false || $subnetBin === false) {
|
|
return false;
|
|
}
|
|
$len = strlen($ipBin);
|
|
if ($len !== strlen($subnetBin)) {
|
|
return false; // v4 vs v6 mismatch
|
|
}
|
|
$bytes = intdiv($maskBits, 8);
|
|
$remainder = $maskBits % 8;
|
|
|
|
if ($bytes > 0 && substr($ipBin, 0, $bytes) !== substr($subnetBin, 0, $bytes)) {
|
|
return false;
|
|
}
|
|
if ($remainder === 0) {
|
|
return true;
|
|
}
|
|
$mask = chr(0xFF << (8 - $remainder) & 0xFF);
|
|
return (ord($ipBin[$bytes]) & ord($mask)) === (ord($subnetBin[$bytes]) & ord($mask));
|
|
}
|