From 1d9e816216099ebaf6da7b280b9f3791b70755a8 Mon Sep 17 00:00:00 2001
From: Grzegorz <greg@securitykiss.com>
Date: Sat, 13 Jan 2024 11:11:08 +0100
Subject: [PATCH 1/3] Added ipfilter argument for filtering by incoming
 requests source IP

---
 main.go                      |  3 ++-
 reverseproxy/reverseproxy.go | 41 +++++++++++++++++++++---------------
 2 files changed, 26 insertions(+), 18 deletions(-)

diff --git a/main.go b/main.go
index 447a777..630da57 100644
--- a/main.go
+++ b/main.go
@@ -22,6 +22,7 @@ var (
 	keyFile      = flag.String("key", "", "path to a private key file. If not provided, ssl-proxy will generate one for you in ~/.ssl-proxy/")
 	domain       = flag.String("domain", "", "domain to mint letsencrypt certificates for. Usage of this parameter implies acceptance of the LetsEncrypt terms of service.")
 	redirectHTTP = flag.Bool("redirectHTTP", false, "if true, redirects http requests from port 80 to https at your fromURL")
+	ipFilter     = flag.String("ipfilter", "", "source IP address to filter incoming requests on. If not provided allow all IP")
 )
 
 const (
@@ -81,7 +82,7 @@ func main() {
 	}
 
 	// Setup reverse proxy ServeMux
-	p := reverseproxy.Build(toURL)
+	p := reverseproxy.Build(toURL, *ipFilter)
 	mux := http.NewServeMux()
 	mux.Handle("/", p)
 
diff --git a/reverseproxy/reverseproxy.go b/reverseproxy/reverseproxy.go
index fcd0fc8..e87de90 100644
--- a/reverseproxy/reverseproxy.go
+++ b/reverseproxy/reverseproxy.go
@@ -1,6 +1,7 @@
 package reverseproxy
 
 import (
+	"net"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
@@ -8,37 +9,43 @@ import (
 )
 
 // Build initializes and returns a new ReverseProxy instance suitable for SSL proxying
-func Build(toURL *url.URL) *httputil.ReverseProxy {
+func Build(toURL *url.URL, ipFilter string) *httputil.ReverseProxy {
 	localProxy := &httputil.ReverseProxy{}
 	addProxyHeaders := func(req *http.Request) {
 		req.Header.Set(http.CanonicalHeaderKey("X-Forwarded-Proto"), "https")
 		req.Header.Set(http.CanonicalHeaderKey("X-Forwarded-Port"), "443") // TODO: inherit another port if needed
 	}
-	localProxy.Director = newDirector(toURL, addProxyHeaders)
+	localProxy.Director = newDirector(toURL, ipFilter, addProxyHeaders)
 
 	return localProxy
 }
 
 // newDirector creates a base director that should be exactly what http.NewSingleHostReverseProxy() creates, but allows
 // for the caller to supply and extraDirector function to decorate to request to the downstream server
-func newDirector(target *url.URL, extraDirector func(*http.Request)) func(*http.Request) {
+func newDirector(target *url.URL, ipFilter string, extraDirector func(*http.Request)) func(*http.Request) {
 	targetQuery := target.RawQuery
 	return func(req *http.Request) {
-		req.URL.Scheme = target.Scheme
-		req.URL.Host = target.Host
-		req.URL.Path = singleJoiningSlash(target.Path, req.URL.Path)
-		if targetQuery == "" || req.URL.RawQuery == "" {
-			req.URL.RawQuery = targetQuery + req.URL.RawQuery
-		} else {
-			req.URL.RawQuery = targetQuery + "&" + req.URL.RawQuery
-		}
-		if _, ok := req.Header["User-Agent"]; !ok {
-			// explicitly disable User-Agent so it's not set to default value
-			req.Header.Set("User-Agent", "")
-		}
+		remoteIp, _, _ := net.SplitHostPort(req.RemoteAddr)
+		if ipFilter == "" || remoteIp == ipFilter {
+			req.URL.Scheme = target.Scheme
+			req.URL.Host = target.Host
+			req.URL.Path = singleJoiningSlash(target.Path, req.URL.Path)
+			if targetQuery == "" || req.URL.RawQuery == "" {
+				req.URL.RawQuery = targetQuery + req.URL.RawQuery
+			} else {
+				req.URL.RawQuery = targetQuery + "&" + req.URL.RawQuery
+			}
+			if _, ok := req.Header["User-Agent"]; !ok {
+				// explicitly disable User-Agent so it's not set to default value
+				req.Header.Set("User-Agent", "")
+			}
 
-		if extraDirector != nil {
-			extraDirector(req)
+			if extraDirector != nil {
+				extraDirector(req)
+			}
+		} else {
+			// IPv6 black hole address
+			req.URL.Host = "[100::/64]"
 		}
 	}
 }

From a8979af26cc94b39bccf63a38c283aeabfd55d69 Mon Sep 17 00:00:00 2001
From: Grzegorz <greg@securitykiss.com>
Date: Sat, 13 Jan 2024 11:24:00 +0100
Subject: [PATCH 2/3] Added ipfilter argument for filtering by incoming
 requests source IP

---
 reverseproxy/reverseproxy.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/reverseproxy/reverseproxy.go b/reverseproxy/reverseproxy.go
index e87de90..e0682d1 100644
--- a/reverseproxy/reverseproxy.go
+++ b/reverseproxy/reverseproxy.go
@@ -46,6 +46,7 @@ func newDirector(target *url.URL, ipFilter string, extraDirector func(*http.Requ
 		} else {
 			// IPv6 black hole address
 			req.URL.Host = "[100::/64]"
+			req.URL.Scheme = "http"
 		}
 	}
 }

From 5f38e23d0f79d5382d596f991fb6bb5a3f805327 Mon Sep 17 00:00:00 2001
From: Grzegorz <greg@securitykiss.com>
Date: Sat, 13 Jan 2024 11:29:09 +0100
Subject: [PATCH 3/3] Added ipfilter argument for filtering by incoming
 requests source IP

---
 reverseproxy/reverseproxy.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/reverseproxy/reverseproxy.go b/reverseproxy/reverseproxy.go
index e0682d1..5a42cbb 100644
--- a/reverseproxy/reverseproxy.go
+++ b/reverseproxy/reverseproxy.go
@@ -44,8 +44,8 @@ func newDirector(target *url.URL, ipFilter string, extraDirector func(*http.Requ
 				extraDirector(req)
 			}
 		} else {
-			// IPv6 black hole address
-			req.URL.Host = "[100::/64]"
+			// send to black hole
+			req.URL.Host = "127.0.0.1:0"
 			req.URL.Scheme = "http"
 		}
 	}