iTraceur
diff --git a/‎.gitignore
+14 b/‎.gitignore
+14
diff --git a/‎conf/app.example.conf
+33 b/‎conf/app.example.conf
+33
diff --git a/‎conf/nginx.conf
+80 b/‎conf/nginx.conf
+80
diff --git a/‎control
+124 b/‎control
+124
diff --git a/‎controllers/auth_proxy.go
+19 b/‎controllers/auth_proxy.go
+19
diff --git a/‎controllers/control.go
+72 b/‎controllers/control.go
+72
diff --git a/‎controllers/default.go
+19 b/‎controllers/default.go
+19
diff --git a/‎controllers/error.go
+19 b/‎controllers/error.go
+19
@@ -0,0 +1,14 @@
+nginx-http-auth
+conf/app.conf
+gitversion
+nohup.out
+
+*.exe
+*.swp
+*.log
+*.pid
+*.tmp
+
+.idea
+.vscode
+.DS_Store
@@ -0,0 +1,33 @@
+appname = nginx-http-auth
+httpport = 8080
+runmode = dev
+
+# Session
+sessionon = true
+sessionname = SessionID
+sessiongcmaxlifetime = 86400
+sessioncookielifetime = 86400
+sessionprovider = redis
+sessionproviderconfig = "127.0.0.1:6379"
+
+
+# XSRF
+enablexsrf = true
+xsrfkey = 4b6774f328ee1a2f24fcb62842fc0cfc
+xsrfexpire = 86400
+
+
+authAPI = http://127.0.0.1:5000/api/login
+controlUsers = admin;iTraceur;zhaowencheng
+
+[ipControl]
+deny =
+direct = 127.0.0.1;192.168.1.5
+
+[timeControl]
+deny =
+direct =
+
+[userControl]
+deny = test;
+allow =
@@ -0,0 +1,80 @@
+error_log logs/error.log debug;
+
+events { }
+
+http {
+    proxy_cache_path cache/  keys_zone=auth_cache:10m;
+    proxy_headers_hash_max_size 512;
+    proxy_headers_hash_bucket_size 128;
+
+    upstream auth-backend {
+        server 127.0.0.1:8080;
+    }
+
+    server {
+        listen 80;
+
+        location / {
+            auth_request /auth-proxy;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header Host            $http_host;
+
+            # 认证后端使用了XSRF过滤，使用Nginx内部重定向会导致XSRF验证失效，
+            # 因为，登录页面Get请求是由Nginx完成的，但Post请求是客户端完成的，这两个HTTP请求会分别分配给两个不同beego.Controller实例来处理，
+            # 又因为XSRF Token保存在beego.Controller实例中随机生成的，所以Get和Post请求对应的XSRF Token不一样导致校验失败，
+            # 因此，这里需要使用named location，在named location返回一个302响应，全部由客户端进行重定向和处理XSRF
+	        error_page 401 =200 @error401;
+        }
+
+        location @error401 {
+            # 302跳转后，无法获取到之前的uri来设置X-Target头，因此，在302跳转的url加上target参数以达到相同效果
+            return 302  /passport/login?target=$request_uri;
+        }
+
+        location = /auth-proxy {
+            internal;
+
+            proxy_pass http://auth-backend/auth-proxy;
+            proxy_pass_request_body off;
+            proxy_set_header Content-Length "";
+            proxy_set_header X-CookieName "SessionID";
+            proxy_set_header Cookie SessionID=$cookie_SessionID;
+
+            proxy_cache auth_cache;
+            proxy_cache_valid 200 10m;
+            proxy_cache_key "$http_authorization$cookie_SessionID";
+        }
+
+        location /passport/login {
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header Host            $http_host;
+            # proxy_set_header X-Target $request_uri;  # target通过url地址参数target来设置
+            proxy_pass http://auth-backend/passport/login;
+        }
+
+        location /passport/logout {
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header Host            $http_host;
+            proxy_pass http://auth-backend/passport/logout;
+        }
+
+        location /captcha {
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header Host            $http_host;
+            proxy_pass http://auth-backend/captcha;
+        }
+
+        location /favicon.ico {
+            alias /var/www/site/assets/img/favicon.ico;
+            proxy_set_header   Host             $host;
+            proxy_set_header   X-Real-IP        $remote_addr;
+            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
+        }
+
+        location /static {
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header Host            $http_host;
+            proxy_pass http://auth-backend/static;
+        }
+    }
+}
@@ -0,0 +1,124 @@
+#!/bin/bash
+
+WORKSPACE=$(cd $(dirname $0)/; pwd)
+cd $WORKSPACE
+
+app=$WORKSPACE"/nginx-http-auth"
+pidfile=$WORKSPACE"/nginx-http-auth.pid"
+logfile=$WORKSPACE"/nginx-http-auth.log"
+conf=$WORKSPACE"/conf/app.conf"
+
+function check_pid() {
+    if [ -f $pidfile ];then
+        pid=`cat $pidfile`
+        if [ -n $pid ]; then
+            running=`ps -p $pid|grep -v "PID TTY" |wc -l`
+            return $running
+        fi
+    fi
+    return 0
+}
+
+function start() {
+    check_pid
+    running=$?
+    if [ $running -gt 0 ];then
+        echo -n "$app now is running already, pid="
+        cat $pidfile
+        return 1
+    fi
+
+    if ! [ -f $conf ];then
+        echo "Config file $conf doesn't exist, creating one."
+        cp $WORKSPACE"/conf/app.example.conf" $conf
+    fi
+    nohup $app &> $logfile &
+    echo $! > $pidfile
+    echo "$app started..., pid=$!"
+}
+
+function stop() {
+    pid=`cat $pidfile`
+    kill $pid
+    echo "$app stoped..."
+}
+
+function restart() {
+    stop
+    sleep 1
+    start
+}
+
+function status() {
+    check_pid
+    running=$?
+    if [ $running -gt 0 ];then
+        echo started
+    else
+        echo stoped
+    fi
+}
+
+function tailf() {
+    tail -f $logfile
+}
+
+function build() {
+    cd $WORKSPACE
+    echo $1
+
+    if [ "$1" == "linux" ] ;then
+        CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build
+    elif [ "$1" == "windows" ] ;then
+        CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build
+    else
+        go build
+    fi
+
+    if [ $? -ne 0 ]; then
+        exit $?
+    fi
+}
+
+function pack() {
+    build $1
+    git log -1 --pretty=%h > gitversion
+    version=`$app -v`
+    file_list="nginx-http-auth static views control conf/app.example.conf conf/nginx.conf"
+    echo "...tar $app-$version.tar.gz <= $file_list"
+    tar zcf $app-$version.tar.gz gitversion $file_list
+}
+
+function packbin() {
+    build $1
+    git log -1 --pretty=%h > gitversion
+    version=`$app -v`
+    tar zcvf $app-bin-$version.tar.gz nginx-http-auth gitversion
+}
+
+function help() {
+    echo "$0 build|pack|start|stop|restart|status|tail"
+}
+
+if [ "$1" == "" ]; then
+    help
+elif [ "$1" == "stop" ];then
+    stop
+elif [ "$1" == "start" ];then
+    start
+elif [ "$1" == "restart" ];then
+    restart
+elif [ "$1" == "status" ];then
+    status
+elif [ "$1" == "tail" ];then
+    tailf
+elif [ "$1" == "build" ];then
+    build $2
+elif [ "$1" == "pack" ];then
+    pack $2
+elif [ "$1" == "packbin" ];then
+    packbin $2
+else
+    help
+fi
+
@@ -0,0 +1,19 @@
+package controllers
+
+import (
+	beego "github.com/beego/beego/v2/server/web"
+)
+
+type AuthProxyController struct {
+	beego.Controller
+}
+
+func (this *AuthProxyController) Get() {
+	this.Ctx.Output.Header("Cache-Control", "no-cache")
+	uname := this.GetSession("uname")
+	if uname == nil {
+		this.Ctx.Abort(401, "401")
+		return
+	}
+	this.Ctx.Output.Body([]byte("ok"))
+}
@@ -0,0 +1,72 @@
+package controllers
+
+import (
+	"fmt"
+	"path/filepath"
+	"reflect"
+	"time"
+
+	"github.com/beego/beego/v2/core/logs"
+	beego "github.com/beego/beego/v2/server/web"
+	"github.com/toolkits/file"
+
+	"nginx-http-auth/g"
+	"nginx-http-auth/utils"
+)
+
+type ControlController struct {
+	beego.Controller
+}
+
+func (this *ControlController) Get() {
+	clientIP := this.Ctx.Input.IP()
+	logtime := time.Now().Format("02/Jan/2006 03:04:05")
+
+	uname := this.GetSession("uname")
+	if uname == nil {
+		this.Ctx.Redirect(302, "/passport/login")
+		return
+	}
+
+	controlUsers, err := beego.AppConfig.Strings("controlUsers")
+	if err != nil {
+		logs.Error(err.Error())
+		this.Ctx.Output.SetStatus(500)
+		this.Ctx.WriteString("Internal Server Error")
+		return
+	}
+	if !utils.InSlice(uname.(string), controlUsers) {
+		logs.Debug(uname.(string), controlUsers, controlUsers[0], reflect.TypeOf(controlUsers[0]))
+		this.Ctx.Output.SetStatus(401)
+		this.Ctx.Output.Body([]byte("Not Allowed"))
+		return
+	}
+
+	control := this.Ctx.Input.Param(":control")
+	switch control {
+	case "version":
+		this.Ctx.Output.Body([]byte(g.VERSION))
+	case "health":
+		this.Ctx.Output.Body([]byte("ok"))
+	case "config":
+		var json map[string]interface{}
+		err = beego.AppConfig.Unmarshaler("", &json)
+		if err != nil {
+			logs.Error(err.Error())
+			this.Ctx.Output.SetStatus(500)
+			this.Ctx.WriteString("Internal Server Error")
+			return
+		}
+		this.Data["json"] = json
+		this.ServeJSON()
+	case "reload":
+		err := beego.LoadAppConfig("ini", filepath.Join(file.SelfDir(), "conf/app.conf"))
+		if err != nil {
+			logs.Error(fmt.Sprintf("%s - - [%s] Config reload failed: %s", clientIP, logtime, err.Error()))
+			this.Ctx.Output.Body([]byte("config reload failed"))
+		} else {
+			logs.Notice(fmt.Sprintf("%s - - [%s] Config Reloaded", clientIP, logtime))
+			this.Ctx.Output.Body([]byte("config reloaded"))
+		}
+	}
+}
@@ -0,0 +1,19 @@
+package controllers
+
+import (
+	beego "github.com/beego/beego/v2/server/web"
+	"nginx-http-auth/g"
+)
+
+type MainController struct {
+	beego.Controller
+}
+
+func (this *MainController) Get() {
+	uname := this.GetSession("uname")
+	if uname == nil {
+		this.Ctx.Redirect(302, "/passport/login")
+		return
+	}
+	this.Ctx.Output.Body([]byte("nginx-http-auth, version " + g.VERSION))
+}
@@ -0,0 +1,19 @@
+package controllers
+
+import (
+	beego "github.com/beego/beego/v2/server/web"
+)
+
+type ErrorController struct {
+	beego.Controller
+}
+
+func (this *ErrorController) Error401() {
+	this.Data["content"] = "限制访问，请求被拒绝"
+	this.TplName = "deny.tpl"
+}
+
+func (this *ErrorController) Error403() {
+	this.Data["content"] = "当前时间段不允许访问"
+	this.TplName = "deny.tpl"
+}