I'm looking to satisfy this:
- If you are in an ACL, you can make a TLS connection
- If you are not in an ACL, you can only a TCP connection, but not a TLS
connection*
** It would be better if it didn't honor TCP either, unless it is a health
probe*
Basically I want to move my denials into the listener and not in the
http.Server handlers.
I thought I was clever recently, trying to do this with:
func (a *aclListener) Accept() (net.Conn, error) {
conn, err := a.ln.Accept()
if err != nil {
return nil, err
}
host, _, err := net.SplitHostPort(conn.RemoteAddr().String())
if err != nil {
return nil, fmt.Errorf("connection's remote address(%s) could not be split:
%s", conn.RemoteAddr().String(), err)
}
// The probe connected, so close the connection and exit.
if a.acls.isProbe(host) {
log.Printf("TCP probe(%s) connection", host)
conn.Close()
return nil, ErrIsProbe
}
// Block anything that isn't in our ACL.
if err := a.acls.ipAuth(host); err != nil {
return nil, err
}
log.Println("accepting connection from: ", conn.RemoteAddr().String())
return conn, nil
}
aclListener implements a net.Listener and I was going to allow the TCP
probe from this
health service, but nothing more (like seeing the TLS header).
However, it turns out erroring on an Accept() will cause the http.Server to
stop.
Of course, if this code did work, the difference between the prober and
non-ACL connections is the same, they both can get the TCP socket before
being denied.
Does anyone know if I can achieve this in my code without getting super
hacky? I can see
some ways to that, but figured someone here might have done this in a
simple way.
Cheers and thanks.
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/golang-nuts/4ab235c1-ab52-42de-a22a-a31bde21eb0cn%40googlegroups.com.
