diff --git a/.gitignore b/.gitignore index 0fbb72c..af735e0 100644 --- a/.gitignore +++ b/.gitignore @@ -39,5 +39,7 @@ data # DB Folder db -# My Configs -*.toml \ No newline at end of file +# ignore all TOML files… +*.toml +# ...but don’t ignore the example files +!*.toml.example \ No newline at end of file diff --git a/checkpoint.js b/checkpoint.js index fb9cde9..238ea60 100644 --- a/checkpoint.js +++ b/checkpoint.js @@ -651,11 +651,23 @@ function CheckpointMiddleware() { // 2) Bypass via header keys for (const { Name, Value, Domains } of checkpointConfig.BypassHeaderKeys) { - const headerVal = request.headers.get(Name); + // Get header value case-insensitively by checking all headers + let headerVal = null; + const headersMap = Object.fromEntries([...request.headers.entries()].map(([k, v]) => [k.toLowerCase(), v])); + headerVal = headersMap[Name.toLowerCase()] || request.headers.get(Name); + + console.log(`DEBUG - Checking header ${Name}: received="${headerVal}", expected="${Value}", domains=${JSON.stringify(Domains)}`); + if (headerVal === Value) { + console.log(`DEBUG - Header value matched for ${Name}`); if (!Array.isArray(Domains) || Domains.length === 0 || Domains.includes(host)) { + console.log(`DEBUG - Domain check passed for ${host}`); return next(); + } else { + console.log(`DEBUG - Domain check failed: ${host} not in ${JSON.stringify(Domains)}`); } + } else { + console.log(`DEBUG - Header value mismatch for ${Name}`); } } diff --git a/config/checkpoint.toml b/config/checkpoint.toml deleted file mode 100644 index 02f5c8e..0000000 --- a/config/checkpoint.toml +++ /dev/null @@ -1,114 +0,0 @@ -# ============================================================================= -# CHECKPOINT SECURITY CONFIGURATION -# ============================================================================= -# This configuration controls the checkpoint security middleware that protects -# your services with proof-of-work challenges and token-based authentication. -# ============================================================================= - -# ----------------------------------------------------------------------------- -# CORE SETTINGS -# ----------------------------------------------------------------------------- -[Core] -# Enable or disable the checkpoint system entirely -Enabled = true - -# Cookie name for storing checkpoint tokens -CookieName = "checkpoint_token" - -# Cookie domain (empty = host-only cookie for localhost) -# Set to ".yourdomain.com" for all subdomains -CookieDomain = "" - -# Enable URL path sanitization to prevent path traversal attacks -SanitizeURLs = true - -# ----------------------------------------------------------------------------- -# PROOF OF WORK SETTINGS -# ----------------------------------------------------------------------------- -[ProofOfWork] -# Number of leading zeros required in the SHA-256 hash -Difficulty = 4 - -# Random salt length in bytes -SaltLength = 16 - -# Time allowed to solve a challenge before it expires -ChallengeExpiration = "3m" - -# Maximum attempts per IP address per hour -MaxAttemptsPerHour = 10 - -# ----------------------------------------------------------------------------- -# PROOF OF SPACE-TIME SETTINGS (Optional additional verification) -# ----------------------------------------------------------------------------- -[ProofOfSpaceTime] -# Enable consistency checks for PoS-Time verification -Enabled = true - -# Maximum allowed ratio between slowest and fastest PoS runs -ConsistencyRatio = 1.35 - -# ----------------------------------------------------------------------------- -# TOKEN SETTINGS -# ----------------------------------------------------------------------------- -[Token] -# How long tokens remain valid -Expiration = "24h" - -# Maximum age for used nonces before cleanup -MaxNonceAge = "24h" - -# ----------------------------------------------------------------------------- -# STORAGE PATHS -# ----------------------------------------------------------------------------- -[Storage] -# HMAC secret storage location -SecretPath = "./data/checkpoint_secret.json" - -# Token database directory -TokenDBPath = "./db/tokenstore" - -# Interstitial page templates (in order of preference) -InterstitialTemplates = [ - "/pages/interstitial/page.html", - "/pages/ipfilter/default.html" -] - -# ----------------------------------------------------------------------------- -# EXCLUSION RULES -# ----------------------------------------------------------------------------- -# Define which requests should bypass the checkpoint system. -# Each rule can specify: -# - Path (required): URL path or prefix to match -# - Hosts (optional): Specific hostnames this rule applies to -# - UserAgents (optional): User-Agent patterns to match -# ----------------------------------------------------------------------------- - -[[Exclusion]] -# Skip checkpoint for all API endpoints (required for Immich and similar apps) -Path = "/api" -Hosts = ["gallery.caileb.com"] # Optional: only for specific hosts - -[[Exclusion]] -# Allows Git pushes w/ ForgeJo -Path = "/info/refs" -Hosts = ["git.caileb.com"] - -# ----------------------------------------------------------------------------- -# BYPASS KEYS -# ----------------------------------------------------------------------------- -# Special keys that can bypass the checkpoint when provided - -[[BypassKeys]] -# Query parameter bypass -Type = "query" -Key = "bypass_key" -Value = "your-secret-key-here" -Hosts = ["music.caileb.com"] # Optional: restrict to specific hosts - -[[BypassKeys]] -# Header bypass -Type = "header" -Key = "X-Bypass-Token" -Value = "another-secret-key" -# Hosts = [] # If empty or omitted, applies to all hosts \ No newline at end of file diff --git a/config/ipfilter.toml b/config/ipfilter.toml deleted file mode 100644 index 4c7f86f..0000000 --- a/config/ipfilter.toml +++ /dev/null @@ -1,92 +0,0 @@ -# ============================================================================= -# IP FILTER CONFIGURATION -# ============================================================================= -# This configuration controls the IP filtering middleware that blocks requests -# based on geographic location (country/continent) and network (ASN) information. -# ============================================================================= - -# ----------------------------------------------------------------------------- -# CORE SETTINGS -# ----------------------------------------------------------------------------- -[Core] -# Enable or disable the IP filter entirely -Enabled = true - -# MaxMind account ID for downloading GeoIP databases -# Can also be set via MAXMIND_ACCOUNT_ID environment variable or .env file -AccountID = "" - -# MaxMind license key for downloading GeoIP databases -# Can also be set via MAXMIND_LICENSE_KEY environment variable or .env file -LicenseKey = "" - -# How often to check for database updates (in hours) -DBUpdateIntervalHours = 12 - -# ----------------------------------------------------------------------------- -# CACHING SETTINGS -# ----------------------------------------------------------------------------- -[Cache] -# TTL for cached IP block decisions (in seconds) -# 0 = cache indefinitely until server restart -IPBlockCacheTTLSec = 300 - -# Maximum number of cached IP decisions -# 0 = unlimited -IPBlockCacheMaxEntries = 10000 - -# ----------------------------------------------------------------------------- -# BLOCKING RULES -# ----------------------------------------------------------------------------- -[Blocking] -# ISO country codes to block (2-letter codes) -CountryCodes = [ - "IN", "BH", "AE", "OM", "QA", "KW", "SA", "YE", "IR", "IQ", - "LB", "PS", "CY", "TR", "AZ", "AM", "TM", "UZ", "KZ", "KG", - "TJ", "KE", "ET", "SO", "SD", "SS", "KP", "UA", "IL" -] - -# Continent codes to block -ContinentCodes = ["AF", "SA", "AS", "AN"] - -# Default block page when no specific page is configured -DefaultBlockPage = "/pages/ipfilter/default.html" - -# ----------------------------------------------------------------------------- -# ASN BLOCKING -# ----------------------------------------------------------------------------- -# Block by Autonomous System Number (ASN) -# Group ASNs by category for different block pages - -# [ASN.Example] -# Numbers = [12345, 67890] -# BlockPage = "pages/ipfilter/example.html" - -# ----------------------------------------------------------------------------- -# ASN NAME BLOCKING -# ----------------------------------------------------------------------------- -# Block by ASN organization name patterns - -[ASNNames.DataCenter] -# Block data center and cloud providers -Patterns = [ - "Cloudflare", "GOOGLE-CLOUD-PLATFORM", "Microsoft", "Amazon", "AWS", - "Digitalocean", "OVH", "HUAWEI CLOUDS", "HWCLOUDS", "M247", - "Datacamp", "Datapacket", "Amanah", "Hern Labs" -] -BlockPage = "/pages/ipfilter/datacenter.html" - -# ----------------------------------------------------------------------------- -# COUNTRY-SPECIFIC BLOCK PAGES -# ----------------------------------------------------------------------------- -[CountryBlockPages] -# Custom block pages for specific countries -IN = "/pages/ipfilter/india.html" - -# ----------------------------------------------------------------------------- -# CONTINENT-SPECIFIC BLOCK PAGES -# ----------------------------------------------------------------------------- -[ContinentBlockPages] -# Custom block pages for specific continents -# AS = "pages/ipfilter/asia.html" -# AF = "pages/ipfilter/africa.html" \ No newline at end of file diff --git a/config/proxy.toml b/config/proxy.toml deleted file mode 100644 index e35793b..0000000 --- a/config/proxy.toml +++ /dev/null @@ -1,55 +0,0 @@ -# ============================================================================= -# PROXY CONFIGURATION -# ============================================================================= -# This configuration controls the reverse proxy middleware that forwards -# requests to backend services based on hostname mappings. -# ============================================================================= - -# ----------------------------------------------------------------------------- -# CORE SETTINGS -# ----------------------------------------------------------------------------- -[Core] -# Enable or disable the proxy middleware -Enabled = true - -# ----------------------------------------------------------------------------- -# TIMEOUT SETTINGS -# ----------------------------------------------------------------------------- -[Timeouts] -# WebSocket connection timeout in milliseconds -WebSocketTimeoutMs = 60000 - -# Upstream HTTP request timeout in milliseconds -UpstreamTimeoutMs = 30000 - -# ----------------------------------------------------------------------------- -# PROXY MAPPINGS -# ----------------------------------------------------------------------------- -# Map hostnames to backend service URLs -# Format: "hostname" = "backend_url" -# ----------------------------------------------------------------------------- - -[[Mapping]] -# Immich -Host = "gallery.caileb.com" -Target = "http://192.168.0.2:2283" - -[[Mapping]] -# Navidrome -Host = "music.caileb.com" -Target = "http://192.168.0.2:4533" - -[[Mapping]] -# ForgeJo -Host = "git.caileb.com" -Target = "http://192.168.0.2:3053" - -# [[Mapping]] -# Example: API service -# Host = "api.example.com" -# Target = "http://localhost:3001" - -# [[Mapping]] -# Example: Admin panel -# Host = "admin.example.com" -# Target = "http://localhost:3002" \ No newline at end of file diff --git a/config/stats.toml b/config/stats.toml deleted file mode 100644 index 3819696..0000000 --- a/config/stats.toml +++ /dev/null @@ -1,31 +0,0 @@ -# ============================================================================= -# STATS CONFIGURATION -# ============================================================================= -# This configuration controls the statistics collection and visualization -# middleware that tracks events and provides a web UI for viewing metrics. -# ============================================================================= - -# ----------------------------------------------------------------------------- -# CORE SETTINGS -# ----------------------------------------------------------------------------- -[Core] -# Enable or disable the stats plugin -Enabled = true - -# ----------------------------------------------------------------------------- -# STORAGE SETTINGS -# ----------------------------------------------------------------------------- -[Storage] -# TTL for stats entries -# Format: "30d", "24h", "1h", etc. -StatsTTL = "30d" - -# ----------------------------------------------------------------------------- -# WEB UI SETTINGS -# ----------------------------------------------------------------------------- -[WebUI] -# Path for stats UI -StatsUIPath = "/stats" - -# Path for stats API -StatsAPIPath = "/stats/api" \ No newline at end of file