7983a3fb49
# Complete Enhancement Package - Major Feature Update Comprehensive enhancement package for docker-ddns-server including security features, modern authentication, UI/UX improvements, and production-ready deployment features. ## 🔒 Security & Authentication ### IP Blocking System - Implemented automatic IP blocking after 3 failed authentication attempts within 72 hours - Added 7-day block duration with automatic expiration - Created `blocked_ips` database table for tracking blocked addresses - Added automatic cleanup of expired blocks - Implemented manual IP unblock capability via security dashboard ### Failed Authentication Logging - Added comprehensive failed authentication logging system - Created `failed_auths` database table storing IP, timestamp, username, and password - Implemented threat intelligence features for password pattern analysis - Added automatic cleanup of old authentication records - Logs intentionally include passwords for single-user security analysis ### Session-Based Authentication - Replaced HTTP Basic Auth with modern session-based authentication for admin panel - Integrated gorilla/sessions library for secure session management - Added configurable session secrets via `DDNS_SESSION_SECRET` environment variable - Implemented "Remember Me" functionality with 30-day session duration - Added proper session destruction on logout - Session cookies configured with HttpOnly, Secure, and SameSite attributes - Maintained HTTP Basic Auth for DynDNS API endpoints (device compatibility) ### HTTPS Enforcement - Added intelligent HTTPS detection via multiple header checks - Implemented automatic HTTPS redirect for admin panel when available - Graceful HTTP fallback when HTTPS unavailable - Supports reverse proxy configurations (nginx, Caddy, Traefik) - Detects SSL via X-Forwarded-Proto, X-Forwarded-Ssl, X-Url-Scheme headers - API endpoints remain HTTP-compatible for device support ## 🎨 UI/UX Enhancements ### Authentication UI - Created modern login page with gradient background and clean design - Added HTTPS security indicator (✓ green / ⚠ yellow) - Implemented auto-focus on username field - Added clear error messages for failed login attempts - Created logout confirmation page with redirect options - Removed browser authentication dialog popups ### Navigation & Layout - Changed admin panel URL from `/admin` to `/@` for uniqueness - Updated navigation with unicode icons (🏠 Dashboard, 🔒 Security, ⏏️ Logout) - Added tooltips to all navigation icons - Implemented sticky header that remains visible on scroll - Enhanced responsive design for mobile/tablet access ### Logo Support - Added automatic logo detection and display - Supports PNG, WebP, and SVG formats - Checks `/static/icons/` for logo files - Graceful fallback to text title if no logo found - Maintains aspect ratio and responsive sizing ### Security Dashboard - Created comprehensive security overview page at `/@/security` - Added statistics cards showing active blocks, failed attempts, and total blocks - Implemented recent failed attempts table with sortable columns - Added password reveal/hide functionality with confirmation prompts - Created detailed blocked IPs management page with unblock capability - Created detailed failed authentication logs page with full history - Added visual indicators for security status ## 📊 Data Management ### Data Consistency & Normalization - Implemented automatic lowercase conversion for all usernames and hostnames - Prevents case-sensitivity issues in DNS lookups and authentication - Ensures consistent data storage and retrieval - Handles mixed-case legacy data gracefully ### Automatic Migration - Added on-the-fly migration system for legacy uppercase entries - Migration triggers automatically on first `/@/hosts` page visit - Handles hostname conflicts by appending sequential numbers - Provides detailed migration report in UI showing all changes - Non-destructive migration preserves all host data - One-time execution with persistent migration status tracking ### Validation Updates - Reduced minimum hostname length to 1 character (allows single-letter subdomains) - Reduced minimum username length to 1 character - Reduced minimum password length to 6 characters - Maintained security while improving flexibility ### Username Uniqueness - Removed uniqueness constraint on usernames - Allows multiple hosts to share the same username - Supports different passwords for same username across hosts - Enables more flexible credential management strategies ## 🛡️ Middleware & Request Handling ### IP Blocker Middleware - Created IPBlockerMiddleware to check requests against blocked IPs - Automatic redirect to 127.0.0.1 for blocked addresses - Lightweight performance impact with database lookup - Positioned early in middleware chain for efficiency ### Session Authentication Middleware - Created SessionAuthMiddleware for admin panel protection - Skips authentication check for /login and /logout routes - Redirects unauthenticated users to login page - Validates session integrity on every request - Compatible with reverse proxy configurations ### HTTPS Redirect Middleware - Created HTTPSRedirectMiddleware for admin panel security - Intelligent detection of HTTPS availability - Skips redirect for API endpoints - Handles X-Forwarded-* headers from reverse proxies - Graceful operation when HTTPS unavailable ## 🗄️ Database & Models ### New Tables - Added `failed_auths` table for authentication logging - Added `blocked_ips` table for IP block tracking - Proper foreign key relationships and indexes - Automatic timestamps on all records ### Cleanup Functions - Implemented automatic cleanup of expired IP blocks - Implemented automatic cleanup of old authentication logs - Configurable retention periods - Background cleanup execution ## 🔧 Technical Improvements ### Dependencies - Added `github.com/gorilla/sessions@v1.2.2` for session management - Updated go.mod with proper version constraints - Maintained compatibility with existing dependencies ### Handler Architecture - Separated security logic into dedicated handler files - Created `security.go` for blocking logic and logging - Created `security_dashboard.go` for UI handlers - Created `auth.go` for login/logout and session management - Created `session.go` for session store implementation - Improved code organization and maintainability ### Main Application - Updated routing to support session-based authentication - Added session initialization on startup - Configured route groups for admin panel and API - Middleware ordering optimized for performance and security ## 🐳 Docker & CI/CD ### Multi-Platform Builds & Automated Releases - Created GitHub Actions workflow (`BuildEmAll.yml`) for automated Docker builds - Supports linux/amd64, linux/386, linux/arm/v7, and linux/arm64 platforms - Automatic builds on push to master with dyndns/ directory changes - Intelligent version tagging system: - Extracts version from commit message (e.g., "v1.2.3 Feature description") - Auto-increments patch version from latest git tag - Falls back to date-based versioning (vYY.MM.DD-HHMM) if no tags exist - Tags images with both `:latest` and semantic version tags (`:vX.Y.Z`) - Automatic GitHub release creation with each build - Release includes Docker image reference and commit message as notes - Publishes to Docker Hub (w3kllc/ddns) - Cross-platform compatibility for ARM devices (Raspberry Pi, etc.) - Workflow can be triggered manually via GitHub Actions UI ### Deployment - Enhanced docker-compose.yml example with all new features - Added documentation for environment variable configuration - Included reverse proxy configuration examples - Added security best practices for production deployment - Semantic versioning with automatic release management ## 📝 Documentation ### README Enhancements - Added comprehensive Security Features section - Added Environment Variables reference with descriptions - Added Admin Panel Access documentation - Added Data Consistency & Migration guide - Added API Endpoints documentation - Added UI/UX Enhancements overview - Added Reverse Proxy Configuration examples - Added Docker Configuration best practices - Added CI/CD & Multi-Platform Support details with versioning strategy - Added Semantic Versioning documentation - Added GitHub Release automation details - Added Security Best Practices recommendations - Added Threat Intelligence rationale - Added Migration Guide from original project - Added Troubleshooting section - Added API Reference documentation - Added Roadmap for future features - Updated Credits section - Added Support and Community links ## 🔄 Backward Compatibility ### Maintained Features - DynDNS API endpoints remain unchanged (/update, /nic/update, etc.) - HTTP Basic Auth still supported for API (device compatibility) - Existing host configurations continue working without changes - Database schema additions are non-breaking - All original functionality preserved ### Breaking Changes - Admin panel URL changed from `/admin` to `/@` (intentional, more unique) - Admin authentication method changed (sessions vs basic auth) - Requires `DDNS_SESSION_SECRET` environment variable for session security ## ⚡ Performance Considerations - IP blocker checks are optimized with database indexing - Session validation cached in memory - Automatic cleanup runs asynchronously - Minimal overhead on API endpoint performance - Efficient middleware ordering ## 🎯 Testing Considerations Recommended testing areas: - Login/logout flow with and without HTTPS - IP blocking after 3 failed attempts - Session persistence with remember me - API endpoint authentication (device compatibility) - HTTPS redirect with reverse proxy headers - Password reveal/hide in security dashboard - Hostname migration for legacy uppercase entries - Multi-platform Docker image functionality --- **Total Changes:** - **21 files modified** - **20 new files created** - **~2000+ lines of code added** - **100+ hours of development time** **Compatibility:** - ✅ Backward compatible for DynDNS API - ⚠️ Admin panel URL changed (bookmark update needed) - ✅ All existing hosts continue working - ✅ Database schema additions are additive **Credits:** - Original project: dprandzioch/docker-ddns - Web UI Fork: benjaminbear/docker-ddns-server - Enhanced fork: w3K-one/docker-ddns-server - Major enhancements and security features added This represents a significant enhancement to the original project while maintaining the core DynDNS functionality and adding modern security, authentication, and user experience improvements suitable for production deployment.
249 lines
6.3 KiB
Go
249 lines
6.3 KiB
Go
package handler
|
|
|
|
import (
|
|
"net"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/labstack/echo/v4"
|
|
"github.com/labstack/gommon/log"
|
|
)
|
|
|
|
// IPBlockerMiddleware checks if the requesting IP is blocked
|
|
func (h *Handler) IPBlockerMiddleware() echo.MiddlewareFunc {
|
|
return func(next echo.HandlerFunc) echo.HandlerFunc {
|
|
return func(c echo.Context) error {
|
|
// Extract the client IP
|
|
clientIP := ExtractIPFromRequest(
|
|
c.Request().RemoteAddr,
|
|
c.Request().Header.Get("X-Forwarded-For"),
|
|
c.Request().Header.Get("X-Real-IP"),
|
|
)
|
|
|
|
// Check if IP is blocked
|
|
isBlocked, blockedIP, err := h.IsIPBlocked(clientIP)
|
|
if err != nil {
|
|
log.Errorf("Error checking blocked IP %s: %v", clientIP, err)
|
|
// Continue on error to avoid breaking the site
|
|
return next(c)
|
|
}
|
|
|
|
if isBlocked {
|
|
log.Warnf("Blocked IP %s attempted to access %s", clientIP, c.Path())
|
|
|
|
// Update last attempt time
|
|
if blockedIP != nil {
|
|
blockedIP.LastAttemptAt = time.Now()
|
|
h.DB.Save(blockedIP)
|
|
}
|
|
|
|
// Redirect to 127.0.0.1
|
|
return c.Redirect(http.StatusFound, "http://127.0.0.1")
|
|
}
|
|
|
|
return next(c)
|
|
}
|
|
}
|
|
}
|
|
|
|
// SessionAuthMiddleware checks if user is authenticated via session
|
|
func (h *Handler) SessionAuthMiddleware() echo.MiddlewareFunc {
|
|
return func(next echo.HandlerFunc) echo.HandlerFunc {
|
|
return func(c echo.Context) error {
|
|
// Skip auth if disabled
|
|
if h.DisableAdminAuth {
|
|
return next(c)
|
|
}
|
|
|
|
// Check if authenticated
|
|
if !h.IsAuthenticated(c) {
|
|
// Store the original URL for redirect after login
|
|
originalURL := c.Request().URL.Path
|
|
if c.Request().URL.RawQuery != "" {
|
|
originalURL += "?" + c.Request().URL.RawQuery
|
|
}
|
|
|
|
// Redirect to login page
|
|
return c.Redirect(http.StatusFound, "/@/login?redirect="+originalURL)
|
|
}
|
|
|
|
return next(c)
|
|
}
|
|
}
|
|
}
|
|
|
|
// HTTPSRedirectMiddleware redirects HTTP to HTTPS for admin routes
|
|
// Only applies to admin routes (/@/*) and only if HTTPS is available
|
|
func (h *Handler) HTTPSRedirectMiddleware() echo.MiddlewareFunc {
|
|
return func(next echo.HandlerFunc) echo.HandlerFunc {
|
|
return func(c echo.Context) error {
|
|
// Only apply to admin routes
|
|
if !strings.HasPrefix(c.Path(), "/@/") {
|
|
return next(c)
|
|
}
|
|
|
|
// Skip login page to avoid redirect loop
|
|
if c.Path() == "/@/login" {
|
|
return next(c)
|
|
}
|
|
|
|
// Check if already HTTPS
|
|
if h.IsHTTPS(c) {
|
|
return next(c)
|
|
}
|
|
|
|
// Check if HTTPS is available by checking X-Forwarded-Proto header exists
|
|
// This indicates we're behind a reverse proxy that supports HTTPS
|
|
if c.Request().Header.Get("X-Forwarded-Proto") != "" {
|
|
// Redirect to HTTPS
|
|
httpsURL := h.GetHTTPSRedirectURL(c)
|
|
return c.Redirect(http.StatusMovedPermanently, httpsURL)
|
|
}
|
|
|
|
// No HTTPS available, continue with HTTP
|
|
return next(c)
|
|
}
|
|
}
|
|
}
|
|
|
|
// UpdateAuthMiddleware wraps BasicAuth for update endpoints
|
|
// CRITICAL: Only logs failed auth when credentials are ACTUALLY WRONG, not system errors
|
|
func (h *Handler) UpdateAuthMiddleware() echo.MiddlewareFunc {
|
|
return func(next echo.HandlerFunc) echo.HandlerFunc {
|
|
return func(c echo.Context) error {
|
|
// Extract credentials
|
|
username, password, ok := c.Request().BasicAuth()
|
|
|
|
if !ok {
|
|
// No credentials provided - this is NOT a failed auth attempt
|
|
// It's a misconfigured client or direct browser access
|
|
return c.String(http.StatusUnauthorized, "badauth\n")
|
|
}
|
|
|
|
// Attempt authentication
|
|
authenticated, authError := h.AuthenticateUpdate(username, password, c)
|
|
|
|
// If there was a system error (not wrong credentials), don't log as failed auth
|
|
if authError != nil {
|
|
log.Errorf("Authentication system error: %v", authError)
|
|
return c.String(http.StatusUnauthorized, "badauth\n")
|
|
}
|
|
|
|
// Only log failed auth if authentication explicitly failed
|
|
// This means: credentials were provided, checked, and found to be WRONG
|
|
if !authenticated {
|
|
clientIP := ExtractIPFromRequest(
|
|
c.Request().RemoteAddr,
|
|
c.Request().Header.Get("X-Forwarded-For"),
|
|
c.Request().Header.Get("X-Real-IP"),
|
|
)
|
|
|
|
log.Warnf("Failed DynDNS API authentication from IP %s, username: %s", clientIP, username)
|
|
|
|
// Log the failed attempt (but DON'T trigger IP blocking for API endpoints)
|
|
h.LogFailedAuth(clientIP, c.Request().UserAgent(), c.Path(), username, password)
|
|
|
|
return c.String(http.StatusUnauthorized, "badauth\n")
|
|
}
|
|
|
|
// Authentication successful
|
|
return next(c)
|
|
}
|
|
}
|
|
}
|
|
|
|
// CleanupMiddleware periodically cleans up expired blocks and old records
|
|
func (h *Handler) CleanupMiddleware() echo.MiddlewareFunc {
|
|
// Track last cleanup time
|
|
lastCleanup := &time.Time{}
|
|
|
|
return func(next echo.HandlerFunc) echo.HandlerFunc {
|
|
return func(c echo.Context) error {
|
|
// Run cleanup once per hour
|
|
if lastCleanup.IsZero() || time.Since(*lastCleanup) > time.Hour {
|
|
go func() {
|
|
h.CleanupExpiredBlocks()
|
|
h.CleanupOldFailedAuths()
|
|
}()
|
|
now := time.Now()
|
|
lastCleanup = &now
|
|
}
|
|
|
|
return next(c)
|
|
}
|
|
}
|
|
}
|
|
|
|
// ExtractIPFromRequest safely extracts IP from various headers
|
|
func ExtractIPFromRequest(remoteAddr string, xForwardedFor string, xRealIP string) string {
|
|
// Try X-Real-IP first
|
|
if xRealIP != "" {
|
|
ip := net.ParseIP(xRealIP)
|
|
if ip != nil {
|
|
return xRealIP
|
|
}
|
|
}
|
|
|
|
// Try X-Forwarded-For
|
|
if xForwardedFor != "" {
|
|
// X-Forwarded-For can contain multiple IPs, get the first one
|
|
ips := splitAndTrim(xForwardedFor, ",")
|
|
if len(ips) > 0 {
|
|
ip := net.ParseIP(ips[0])
|
|
if ip != nil {
|
|
return ips[0]
|
|
}
|
|
}
|
|
}
|
|
|
|
// Fall back to RemoteAddr
|
|
ip, _, err := net.SplitHostPort(remoteAddr)
|
|
if err != nil {
|
|
return remoteAddr
|
|
}
|
|
|
|
return ip
|
|
}
|
|
|
|
func splitAndTrim(s string, sep string) []string {
|
|
var result []string
|
|
for _, part := range split(s, sep) {
|
|
trimmed := trim(part)
|
|
if trimmed != "" {
|
|
result = append(result, trimmed)
|
|
}
|
|
}
|
|
return result
|
|
}
|
|
|
|
func split(s string, sep string) []string {
|
|
// Simple split implementation
|
|
var result []string
|
|
start := 0
|
|
for i := 0; i < len(s); i++ {
|
|
if string(s[i]) == sep {
|
|
result = append(result, s[start:i])
|
|
start = i + 1
|
|
}
|
|
}
|
|
result = append(result, s[start:])
|
|
return result
|
|
}
|
|
|
|
func trim(s string) string {
|
|
// Simple trim implementation
|
|
start := 0
|
|
end := len(s)
|
|
|
|
for start < end && (s[start] == ' ' || s[start] == '\t') {
|
|
start++
|
|
}
|
|
|
|
for end > start && (s[end-1] == ' ' || s[end-1] == '\t') {
|
|
end--
|
|
}
|
|
|
|
return s[start:end]
|
|
}
|