From 3683f95933653b04d9f4f900cccfb5adc59eb9ac Mon Sep 17 00:00:00 2001 From: Jason Cameron Date: Sat, 29 Mar 2025 21:15:50 -0400 Subject: [PATCH] Add middleware to set Cache-Control header for challenge HTML (#132) * Add middleware to set Cache-Control header for challenge HTML * Add `NoStoreCache` middleware function in `internal/headers.go` to set Cache-Control: no-store header * Apply `NoStoreCache` middleware in `cmd/anubis/main.go` to set Cache-Control header for challenge HTML * docs: Add no-cache header information for challenge page * docs: Update changelog to reflect no-store Cache-Control header addition for challenge page * refactor: rename variable for clarity and update caching middleware in RenderIndex * chore: move changes to the unreleased section Signed-off-by: Jason Cameron --------- Signed-off-by: Jason Cameron Signed-off-by: Jason Cameron --- docs/docs/CHANGELOG.md | 1 + internal/headers.go | 9 +++++++++ lib/anubis.go | 13 ++++++++----- 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md index 639d097..db6999a 100644 --- a/docs/docs/CHANGELOG.md +++ b/docs/docs/CHANGELOG.md @@ -10,6 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] +- Added a no-store Cache-Control header to the challenge page - Hide the directory listings for Anubis' internal static content - Changed `--debug-x-real-ip-default` to `--use-remote-address`, getting the IP address from the request's socket address instead. diff --git a/internal/headers.go b/internal/headers.go index a48ce54..5c6a218 100644 --- a/internal/headers.go +++ b/internal/headers.go @@ -64,6 +64,15 @@ func XForwardedForToXRealIP(next http.Handler) http.Handler { }) } +// NoStoreCache sets the Cache-Control header to no-store for the response. +func NoStoreCache(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Cache-Control", "no-store") + next.ServeHTTP(w, r) + }) +} + + // Do not allow browsing directory listings in paths that end with / func NoBrowsing(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { diff --git a/lib/anubis.go b/lib/anubis.go index 8d5dac1..114356c 100644 --- a/lib/anubis.go +++ b/lib/anubis.go @@ -162,7 +162,7 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { func (s *Server) challengeFor(r *http.Request, difficulty int) string { fp := sha256.Sum256(s.priv.Seed()) - data := fmt.Sprintf( + challengeData := fmt.Sprintf( "Accept-Language=%s,X-Real-IP=%s,User-Agent=%s,WeekTime=%s,Fingerprint=%x,Difficulty=%d", r.Header.Get("Accept-Language"), r.Header.Get("X-Real-Ip"), @@ -171,7 +171,7 @@ func (s *Server) challengeFor(r *http.Request, difficulty int) string { fp, difficulty, ) - return internal.SHA256sum(data) + return internal.SHA256sum(challengeData) } func (s *Server) MaybeReverseProxy(w http.ResponseWriter, r *http.Request) { @@ -326,9 +326,12 @@ func (s *Server) MaybeReverseProxy(w http.ResponseWriter, r *http.Request) { } func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request) { - templ.Handler( - web.Base("Making sure you're not a bot!", web.Index()), - ).ServeHTTP(w, r) + handler := internal.NoStoreCache( + templ.Handler( + web.Base("Making sure you\\'re not a bot!", web.Index()), + ), + ) + handler.ServeHTTP(w, r) } func (s *Server) MakeChallenge(w http.ResponseWriter, r *http.Request) {