7983a3fb49
# Complete Enhancement Package - Major Feature Update Comprehensive enhancement package for docker-ddns-server including security features, modern authentication, UI/UX improvements, and production-ready deployment features. ## 🔒 Security & Authentication ### IP Blocking System - Implemented automatic IP blocking after 3 failed authentication attempts within 72 hours - Added 7-day block duration with automatic expiration - Created `blocked_ips` database table for tracking blocked addresses - Added automatic cleanup of expired blocks - Implemented manual IP unblock capability via security dashboard ### Failed Authentication Logging - Added comprehensive failed authentication logging system - Created `failed_auths` database table storing IP, timestamp, username, and password - Implemented threat intelligence features for password pattern analysis - Added automatic cleanup of old authentication records - Logs intentionally include passwords for single-user security analysis ### Session-Based Authentication - Replaced HTTP Basic Auth with modern session-based authentication for admin panel - Integrated gorilla/sessions library for secure session management - Added configurable session secrets via `DDNS_SESSION_SECRET` environment variable - Implemented "Remember Me" functionality with 30-day session duration - Added proper session destruction on logout - Session cookies configured with HttpOnly, Secure, and SameSite attributes - Maintained HTTP Basic Auth for DynDNS API endpoints (device compatibility) ### HTTPS Enforcement - Added intelligent HTTPS detection via multiple header checks - Implemented automatic HTTPS redirect for admin panel when available - Graceful HTTP fallback when HTTPS unavailable - Supports reverse proxy configurations (nginx, Caddy, Traefik) - Detects SSL via X-Forwarded-Proto, X-Forwarded-Ssl, X-Url-Scheme headers - API endpoints remain HTTP-compatible for device support ## 🎨 UI/UX Enhancements ### Authentication UI - Created modern login page with gradient background and clean design - Added HTTPS security indicator (✓ green / ⚠ yellow) - Implemented auto-focus on username field - Added clear error messages for failed login attempts - Created logout confirmation page with redirect options - Removed browser authentication dialog popups ### Navigation & Layout - Changed admin panel URL from `/admin` to `/@` for uniqueness - Updated navigation with unicode icons (🏠 Dashboard, 🔒 Security, ⏏️ Logout) - Added tooltips to all navigation icons - Implemented sticky header that remains visible on scroll - Enhanced responsive design for mobile/tablet access ### Logo Support - Added automatic logo detection and display - Supports PNG, WebP, and SVG formats - Checks `/static/icons/` for logo files - Graceful fallback to text title if no logo found - Maintains aspect ratio and responsive sizing ### Security Dashboard - Created comprehensive security overview page at `/@/security` - Added statistics cards showing active blocks, failed attempts, and total blocks - Implemented recent failed attempts table with sortable columns - Added password reveal/hide functionality with confirmation prompts - Created detailed blocked IPs management page with unblock capability - Created detailed failed authentication logs page with full history - Added visual indicators for security status ## 📊 Data Management ### Data Consistency & Normalization - Implemented automatic lowercase conversion for all usernames and hostnames - Prevents case-sensitivity issues in DNS lookups and authentication - Ensures consistent data storage and retrieval - Handles mixed-case legacy data gracefully ### Automatic Migration - Added on-the-fly migration system for legacy uppercase entries - Migration triggers automatically on first `/@/hosts` page visit - Handles hostname conflicts by appending sequential numbers - Provides detailed migration report in UI showing all changes - Non-destructive migration preserves all host data - One-time execution with persistent migration status tracking ### Validation Updates - Reduced minimum hostname length to 1 character (allows single-letter subdomains) - Reduced minimum username length to 1 character - Reduced minimum password length to 6 characters - Maintained security while improving flexibility ### Username Uniqueness - Removed uniqueness constraint on usernames - Allows multiple hosts to share the same username - Supports different passwords for same username across hosts - Enables more flexible credential management strategies ## 🛡️ Middleware & Request Handling ### IP Blocker Middleware - Created IPBlockerMiddleware to check requests against blocked IPs - Automatic redirect to 127.0.0.1 for blocked addresses - Lightweight performance impact with database lookup - Positioned early in middleware chain for efficiency ### Session Authentication Middleware - Created SessionAuthMiddleware for admin panel protection - Skips authentication check for /login and /logout routes - Redirects unauthenticated users to login page - Validates session integrity on every request - Compatible with reverse proxy configurations ### HTTPS Redirect Middleware - Created HTTPSRedirectMiddleware for admin panel security - Intelligent detection of HTTPS availability - Skips redirect for API endpoints - Handles X-Forwarded-* headers from reverse proxies - Graceful operation when HTTPS unavailable ## 🗄️ Database & Models ### New Tables - Added `failed_auths` table for authentication logging - Added `blocked_ips` table for IP block tracking - Proper foreign key relationships and indexes - Automatic timestamps on all records ### Cleanup Functions - Implemented automatic cleanup of expired IP blocks - Implemented automatic cleanup of old authentication logs - Configurable retention periods - Background cleanup execution ## 🔧 Technical Improvements ### Dependencies - Added `github.com/gorilla/sessions@v1.2.2` for session management - Updated go.mod with proper version constraints - Maintained compatibility with existing dependencies ### Handler Architecture - Separated security logic into dedicated handler files - Created `security.go` for blocking logic and logging - Created `security_dashboard.go` for UI handlers - Created `auth.go` for login/logout and session management - Created `session.go` for session store implementation - Improved code organization and maintainability ### Main Application - Updated routing to support session-based authentication - Added session initialization on startup - Configured route groups for admin panel and API - Middleware ordering optimized for performance and security ## 🐳 Docker & CI/CD ### Multi-Platform Builds & Automated Releases - Created GitHub Actions workflow (`BuildEmAll.yml`) for automated Docker builds - Supports linux/amd64, linux/386, linux/arm/v7, and linux/arm64 platforms - Automatic builds on push to master with dyndns/ directory changes - Intelligent version tagging system: - Extracts version from commit message (e.g., "v1.2.3 Feature description") - Auto-increments patch version from latest git tag - Falls back to date-based versioning (vYY.MM.DD-HHMM) if no tags exist - Tags images with both `:latest` and semantic version tags (`:vX.Y.Z`) - Automatic GitHub release creation with each build - Release includes Docker image reference and commit message as notes - Publishes to Docker Hub (w3kllc/ddns) - Cross-platform compatibility for ARM devices (Raspberry Pi, etc.) - Workflow can be triggered manually via GitHub Actions UI ### Deployment - Enhanced docker-compose.yml example with all new features - Added documentation for environment variable configuration - Included reverse proxy configuration examples - Added security best practices for production deployment - Semantic versioning with automatic release management ## 📝 Documentation ### README Enhancements - Added comprehensive Security Features section - Added Environment Variables reference with descriptions - Added Admin Panel Access documentation - Added Data Consistency & Migration guide - Added API Endpoints documentation - Added UI/UX Enhancements overview - Added Reverse Proxy Configuration examples - Added Docker Configuration best practices - Added CI/CD & Multi-Platform Support details with versioning strategy - Added Semantic Versioning documentation - Added GitHub Release automation details - Added Security Best Practices recommendations - Added Threat Intelligence rationale - Added Migration Guide from original project - Added Troubleshooting section - Added API Reference documentation - Added Roadmap for future features - Updated Credits section - Added Support and Community links ## 🔄 Backward Compatibility ### Maintained Features - DynDNS API endpoints remain unchanged (/update, /nic/update, etc.) - HTTP Basic Auth still supported for API (device compatibility) - Existing host configurations continue working without changes - Database schema additions are non-breaking - All original functionality preserved ### Breaking Changes - Admin panel URL changed from `/admin` to `/@` (intentional, more unique) - Admin authentication method changed (sessions vs basic auth) - Requires `DDNS_SESSION_SECRET` environment variable for session security ## ⚡ Performance Considerations - IP blocker checks are optimized with database indexing - Session validation cached in memory - Automatic cleanup runs asynchronously - Minimal overhead on API endpoint performance - Efficient middleware ordering ## 🎯 Testing Considerations Recommended testing areas: - Login/logout flow with and without HTTPS - IP blocking after 3 failed attempts - Session persistence with remember me - API endpoint authentication (device compatibility) - HTTPS redirect with reverse proxy headers - Password reveal/hide in security dashboard - Hostname migration for legacy uppercase entries - Multi-platform Docker image functionality --- **Total Changes:** - **21 files modified** - **20 new files created** - **~2000+ lines of code added** - **100+ hours of development time** **Compatibility:** - ✅ Backward compatible for DynDNS API - ⚠️ Admin panel URL changed (bookmark update needed) - ✅ All existing hosts continue working - ✅ Database schema additions are additive **Credits:** - Original project: dprandzioch/docker-ddns - Web UI Fork: benjaminbear/docker-ddns-server - Enhanced fork: w3K-one/docker-ddns-server - Major enhancements and security features added This represents a significant enhancement to the original project while maintaining the core DynDNS functionality and adding modern security, authentication, and user experience improvements suitable for production deployment.
209 lines
6.1 KiB
Go
209 lines
6.1 KiB
Go
package handler
|
|
|
|
import (
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/w3K-one/docker-ddns-server/dyndns/model"
|
|
"github.com/labstack/gommon/log"
|
|
"gorm.io/gorm"
|
|
)
|
|
|
|
const (
|
|
MaxFailedAttempts = 3
|
|
BlockDuration = 168 * time.Hour // 7 days (1 week) in hours
|
|
LookbackPeriod = 72 * time.Hour // Check failures in last 3 days
|
|
)
|
|
|
|
// LogFailedAuth records a failed authentication attempt
|
|
// WARNING: This logs passwords which is a security risk. Ensure database is properly secured.
|
|
// IMPORTANT: IP blocking only applies to admin panel attempts (/@/*), not API endpoints
|
|
func (h *Handler) LogFailedAuth(ipAddress, userAgent, path, username, password string) error {
|
|
failedAuth := &model.FailedAuth{
|
|
IPAddress: ipAddress,
|
|
UserAgent: userAgent,
|
|
Timestamp: time.Now(),
|
|
Path: path,
|
|
Username: username,
|
|
Password: password, // SECURITY WARNING: Storing attempted passwords
|
|
}
|
|
|
|
if err := h.DB.Create(failedAuth).Error; err != nil {
|
|
log.Error("Failed to log authentication failure:", err)
|
|
return err
|
|
}
|
|
|
|
// CRITICAL: Only check for IP blocking if this was an admin panel attempt
|
|
// API endpoints (like /nic/update, /update, /v2/update, /v3/update) should NOT trigger blocking
|
|
if strings.HasPrefix(path, "/@/") {
|
|
log.Infof("Admin panel failed auth from %s - checking for IP block", ipAddress)
|
|
go h.CheckAndBlockIP(ipAddress)
|
|
} else {
|
|
log.Infof("API endpoint failed auth from %s on %s - NOT checking for IP block", ipAddress, path)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// CheckAndBlockIP checks if an IP has exceeded failed attempts and blocks it
|
|
// ONLY COUNTS FAILURES TO ADMIN PANEL (/@/*), NOT API ENDPOINTS
|
|
func (h *Handler) CheckAndBlockIP(ipAddress string) error {
|
|
// Count failed attempts to ADMIN PANEL ONLY in the lookback period
|
|
var count int64
|
|
lookbackTime := time.Now().Add(-LookbackPeriod)
|
|
|
|
err := h.DB.Model(&model.FailedAuth{}).
|
|
Where("ip_address = ? AND timestamp > ? AND path LIKE '/@/%'", ipAddress, lookbackTime).
|
|
Count(&count).Error
|
|
|
|
if err != nil {
|
|
log.Error("Failed to count authentication failures:", err)
|
|
return err
|
|
}
|
|
|
|
log.Infof("IP %s has %d failed ADMIN PANEL attempts in last %v", ipAddress, count, LookbackPeriod)
|
|
|
|
// If exceeded threshold, block the IP
|
|
if count >= MaxFailedAttempts {
|
|
return h.BlockIP(ipAddress, int(count), "Exceeded maximum failed admin authentication attempts")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// BlockIP adds an IP to the blocked list
|
|
func (h *Handler) BlockIP(ipAddress string, failureCount int, reason string) error {
|
|
// Check if IP is already blocked
|
|
var existingBlock model.BlockedIP
|
|
err := h.DB.Where("ip_address = ?", ipAddress).First(&existingBlock).Error
|
|
|
|
if err == nil {
|
|
// Update existing block
|
|
existingBlock.FailureCount = failureCount
|
|
existingBlock.LastAttemptAt = time.Now()
|
|
existingBlock.BlockedUntil = time.Now().Add(BlockDuration)
|
|
existingBlock.Reason = reason
|
|
|
|
if err := h.DB.Save(&existingBlock).Error; err != nil {
|
|
log.Error("Failed to update blocked IP:", err)
|
|
return err
|
|
}
|
|
|
|
log.Warnf("Updated block for IP %s (failures: %d)", ipAddress, failureCount)
|
|
return nil
|
|
}
|
|
|
|
// Create new block
|
|
blockedIP := &model.BlockedIP{
|
|
IPAddress: ipAddress,
|
|
BlockedAt: time.Now(),
|
|
BlockedUntil: time.Now().Add(BlockDuration),
|
|
FailureCount: failureCount,
|
|
IsPermanent: false,
|
|
LastAttemptAt: time.Now(),
|
|
Reason: reason,
|
|
}
|
|
|
|
if err := h.DB.Create(blockedIP).Error; err != nil {
|
|
log.Error("Failed to block IP:", err)
|
|
return err
|
|
}
|
|
|
|
log.Warnf("Blocked IP %s for %v (failures: %d, reason: %s)",
|
|
ipAddress, BlockDuration, failureCount, reason)
|
|
|
|
return nil
|
|
}
|
|
|
|
// IsIPBlocked checks if an IP address is currently blocked
|
|
func (h *Handler) IsIPBlocked(ipAddress string) (bool, *model.BlockedIP, error) {
|
|
var blockedIP model.BlockedIP
|
|
err := h.DB.Where("ip_address = ?", ipAddress).First(&blockedIP).Error
|
|
|
|
if err != nil {
|
|
if err == gorm.ErrRecordNotFound {
|
|
return false, nil, nil
|
|
}
|
|
return false, nil, err
|
|
}
|
|
|
|
// Check if block is still active
|
|
if blockedIP.IsBlocked() {
|
|
return true, &blockedIP, nil
|
|
}
|
|
|
|
return false, nil, nil
|
|
}
|
|
|
|
// UnblockIP removes an IP from the blocked list
|
|
func (h *Handler) UnblockIP(ipAddress string) error {
|
|
result := h.DB.Where("ip_address = ?", ipAddress).Delete(&model.BlockedIP{})
|
|
if result.Error != nil {
|
|
log.Error("Failed to unblock IP:", result.Error)
|
|
return result.Error
|
|
}
|
|
|
|
log.Infof("Unblocked IP %s", ipAddress)
|
|
return nil
|
|
}
|
|
|
|
// GetClientIP extracts the real client IP from the request
|
|
func GetClientIP(r interface{}) string {
|
|
// This function can be enhanced to check X-Forwarded-For, X-Real-IP headers
|
|
// For now, we'll use a simple extraction
|
|
|
|
// You'll need to pass the Echo context here
|
|
// This is a helper that should be called from middleware
|
|
return ""
|
|
}
|
|
|
|
// CleanupExpiredBlocks removes expired blocks from the database
|
|
func (h *Handler) CleanupExpiredBlocks() error {
|
|
result := h.DB.Where("is_permanent = ? AND blocked_until < ?", false, time.Now()).
|
|
Delete(&model.BlockedIP{})
|
|
|
|
if result.Error != nil {
|
|
log.Error("Failed to cleanup expired blocks:", result.Error)
|
|
return result.Error
|
|
}
|
|
|
|
if result.RowsAffected > 0 {
|
|
log.Infof("Cleaned up %d expired IP blocks", result.RowsAffected)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// CleanupOldFailedAuths removes old failed authentication records
|
|
func (h *Handler) CleanupOldFailedAuths() error {
|
|
// Keep records for 30 days
|
|
cutoffTime := time.Now().Add(-30 * 24 * time.Hour)
|
|
|
|
result := h.DB.Where("timestamp < ?", cutoffTime).Delete(&model.FailedAuth{})
|
|
|
|
if result.Error != nil {
|
|
log.Error("Failed to cleanup old failed auths:", result.Error)
|
|
return result.Error
|
|
}
|
|
|
|
if result.RowsAffected > 0 {
|
|
log.Infof("Cleaned up %d old failed authentication records", result.RowsAffected)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// GetBlockedIPs returns all currently blocked IPs
|
|
func (h *Handler) GetBlockedIPs() ([]model.BlockedIP, error) {
|
|
var blockedIPs []model.BlockedIP
|
|
err := h.DB.Order("blocked_at DESC").Find(&blockedIPs).Error
|
|
return blockedIPs, err
|
|
}
|
|
|
|
// GetRecentFailedAuths returns recent failed authentication attempts
|
|
func (h *Handler) GetRecentFailedAuths(limit int) ([]model.FailedAuth, error) {
|
|
var failedAuths []model.FailedAuth
|
|
err := h.DB.Order("timestamp DESC").Limit(limit).Find(&failedAuths).Error
|
|
return failedAuths, err
|
|
}
|