Commit1c32e92

committed

refactor: enhance IP blacklist handling and add panic recovery in middleware

1 parentf45e833 commit1c32e92Copy full SHA for 1c32e92

File tree

+53

-9

lines changed

+53

-9

lines changed

Lines changed: 19 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -65,12 +65,25 @@ func (bl *BlacklistLoader) LoadDNSBlacklistFromFile(path string, dnsBlacklist ma`
`65`	`65`	`}`
`66`	`66`
`67`	`67`	`func (m*Middleware)isIPBlacklisted(ipstring)bool {`
`68`		`-ifm.ipBlacklist.Contains(netip.MustParseAddr(ip)) {`
`69`		`-m.muIPBlacklistMetrics.Lock()// Acquire lock before accessing shared counter`
`70`		`-m.IPBlacklistBlockCount++// Increment the counter`
`71`		`-m.muIPBlacklistMetrics.Unlock()// Release lock after accessing counter`
`72`		`-m.logger.Debug("IP blacklist hit",zap.String("ip",ip))// Keep existing debug log`
`73`		`-returntrue// Indicate that the IP is blacklisted`
	`68`	`+// Extract IP address without port`
	`69`	`+cleanIP:=extractIP(ip,m.logger)`
	`70`	`+`
	`71`	`+addr,err:=netip.ParseAddr(cleanIP)`
	`72`	`+iferr!=nil {`
	`73`	`+m.logger.Warn("Failed to parse IP address for blacklist check",`
	`74`	`+zap.String("ip",ip),`
	`75`	`+zap.String("clean_ip",cleanIP),`
	`76`	`+zap.Error(err),`
	`77`	`+)`
	`78`	`+returnfalse`
	`79`	`+}`
	`80`	`+`
	`81`	`+ifm.ipBlacklist.Contains(addr) {`
	`82`	`+m.muIPBlacklistMetrics.Lock()// Acquire lock before accessing shared counter`
	`83`	`+m.IPBlacklistBlockCount++// Increment the counter`
	`84`	`+m.muIPBlacklistMetrics.Unlock()// Release lock after accessing counter`
	`85`	`+m.logger.Debug("IP blacklist hit",zap.String("ip",cleanIP))// Keep existing debug log`
	`86`	`+returntrue// Indicate that the IP is blacklisted`
`74`	`87`	`}`
`75`	`88`	`returnfalse// Indicate that the IP is NOT blacklisted`
`76`	`89`	`}`

Lines changed: 12 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,8 @@ func parseCaddyfile(h httpcaddyfile.Helper) (caddyhttp.MiddlewareHandler, error)`
`82`	`82`
`83`	`83`	`func (m*Middleware)Provision(ctx caddy.Context)error {`
`84`	`84`	`m.logger=ctx.Logger(m)`
`85`		`-m.ruleCache=NewRuleCache()// Initialize RuleCache`
	`85`	`+m.ruleCache=NewRuleCache()// Initialize RuleCache`
	`86`	`+m.Rules=make(map[int][]Rule)// Initialize Rules map to prevent nil pointer panic`
`86`	`87`
`87`	`88`	`// Set default log severity if not provided`
`88`	`89`	`ifm.LogSeverity=="" {`
`@@ -466,7 +467,16 @@ func (m *Middleware) loadIPBlacklist(path string, blacklistMap iptrie.Trie) erro`
`466`	`467`
`467`	`468`	`// Convert the map to CIDRTrie`
`468`	`469`	`forip:=rangeblacklist {`
`469`		`-blacklistMap.Insert(netip.MustParsePrefix(ip),nil)`
	`470`	`+// Add /32 suffix if the IP doesn't have CIDR notation`
	`471`	`+if!strings.Contains(ip,"/") {`
	`472`	`+ip=ip+"/32"`
	`473`	`+}`
	`474`	`+prefix,err:=netip.ParsePrefix(ip)`
	`475`	`+iferr!=nil {`
	`476`	`+m.logger.Warn("Skipping invalid IP in blacklist",zap.String("ip",ip),zap.Error(err))`
	`477`	`+continue`
	`478`	`+}`
	`479`	`+blacklistMap.Insert(prefix,nil)`
`470`	`480`	`}`
`471`	`481`	`returnnil`
`472`	`482`	`}`

Lines changed: 22 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,20 @@ type (`
`22`	`22`	`func (mMiddleware)ServeHTTP(w http.ResponseWriter,rhttp.Request,next caddyhttp.Handler)error {`
`23`	`23`	`logID:=uuid.New().String()`
`24`	`24`
	`25`	`+// Add panic recovery to catch and log panics`
	`26`	`+deferfunc() {`
	`27`	`+ifrec:=recover();rec!=nil {`
	`28`	`+m.logger.Error("PANIC in ServeHTTP",`
	`29`	`+zap.String("log_id",logID),`
	`30`	`+zap.Any("panic",rec),`
	`31`	`+zap.Stack("stack"),`
	`32`	`+)`
	`33`	`+// Return 500 error to client`
	`34`	`+w.WriteHeader(http.StatusInternalServerError)`
	`35`	`+w.Write([]byte("Internal Server Error"))`
	`36`	`+}`
	`37`	`+}()`
	`38`	`+`
`25`	`39`	`m.logRequestStart(r,logID)`
`26`	`40`
`27`	`41`	`// Propagate log ID within the request context for logging`
`@@ -152,7 +166,14 @@ func (m Middleware) handleResponseBodyPhase(recorder responseRecorder, r *http`
`152`	`166`	`}`
`153`	`167`	`m.logger.Debug("Response body captured for Phase 4 analysis",zap.String("log_id",logID))`
`154`	`168`
`155`		`-for_,rule:=rangem.Rules[4] {`
	`169`	`+// Check if rules exist for Phase 4 before iterating`
	`170`	`+rules,ok:=m.Rules[4]`
	`171`	`+if!ok\|\|len(rules)==0 {`
	`172`	`+m.logger.Debug("No rules found for Phase 4")`
	`173`	`+return`
	`174`	`+}`
	`175`	`+`
	`176`	`+for_,rule:=rangerules {`
`156`	`177`	`ifrule.regex.MatchString(body) {`
`157`	`178`	`ifm.processRuleMatch(recorder,r,&rule,body,state) {`
`158`	`179`	`return`

Comments

(0)