7983a3fb49
# Complete Enhancement Package - Major Feature Update Comprehensive enhancement package for docker-ddns-server including security features, modern authentication, UI/UX improvements, and production-ready deployment features. ## 🔒 Security & Authentication ### IP Blocking System - Implemented automatic IP blocking after 3 failed authentication attempts within 72 hours - Added 7-day block duration with automatic expiration - Created `blocked_ips` database table for tracking blocked addresses - Added automatic cleanup of expired blocks - Implemented manual IP unblock capability via security dashboard ### Failed Authentication Logging - Added comprehensive failed authentication logging system - Created `failed_auths` database table storing IP, timestamp, username, and password - Implemented threat intelligence features for password pattern analysis - Added automatic cleanup of old authentication records - Logs intentionally include passwords for single-user security analysis ### Session-Based Authentication - Replaced HTTP Basic Auth with modern session-based authentication for admin panel - Integrated gorilla/sessions library for secure session management - Added configurable session secrets via `DDNS_SESSION_SECRET` environment variable - Implemented "Remember Me" functionality with 30-day session duration - Added proper session destruction on logout - Session cookies configured with HttpOnly, Secure, and SameSite attributes - Maintained HTTP Basic Auth for DynDNS API endpoints (device compatibility) ### HTTPS Enforcement - Added intelligent HTTPS detection via multiple header checks - Implemented automatic HTTPS redirect for admin panel when available - Graceful HTTP fallback when HTTPS unavailable - Supports reverse proxy configurations (nginx, Caddy, Traefik) - Detects SSL via X-Forwarded-Proto, X-Forwarded-Ssl, X-Url-Scheme headers - API endpoints remain HTTP-compatible for device support ## 🎨 UI/UX Enhancements ### Authentication UI - Created modern login page with gradient background and clean design - Added HTTPS security indicator (✓ green / ⚠ yellow) - Implemented auto-focus on username field - Added clear error messages for failed login attempts - Created logout confirmation page with redirect options - Removed browser authentication dialog popups ### Navigation & Layout - Changed admin panel URL from `/admin` to `/@` for uniqueness - Updated navigation with unicode icons (🏠 Dashboard, 🔒 Security, ⏏️ Logout) - Added tooltips to all navigation icons - Implemented sticky header that remains visible on scroll - Enhanced responsive design for mobile/tablet access ### Logo Support - Added automatic logo detection and display - Supports PNG, WebP, and SVG formats - Checks `/static/icons/` for logo files - Graceful fallback to text title if no logo found - Maintains aspect ratio and responsive sizing ### Security Dashboard - Created comprehensive security overview page at `/@/security` - Added statistics cards showing active blocks, failed attempts, and total blocks - Implemented recent failed attempts table with sortable columns - Added password reveal/hide functionality with confirmation prompts - Created detailed blocked IPs management page with unblock capability - Created detailed failed authentication logs page with full history - Added visual indicators for security status ## 📊 Data Management ### Data Consistency & Normalization - Implemented automatic lowercase conversion for all usernames and hostnames - Prevents case-sensitivity issues in DNS lookups and authentication - Ensures consistent data storage and retrieval - Handles mixed-case legacy data gracefully ### Automatic Migration - Added on-the-fly migration system for legacy uppercase entries - Migration triggers automatically on first `/@/hosts` page visit - Handles hostname conflicts by appending sequential numbers - Provides detailed migration report in UI showing all changes - Non-destructive migration preserves all host data - One-time execution with persistent migration status tracking ### Validation Updates - Reduced minimum hostname length to 1 character (allows single-letter subdomains) - Reduced minimum username length to 1 character - Reduced minimum password length to 6 characters - Maintained security while improving flexibility ### Username Uniqueness - Removed uniqueness constraint on usernames - Allows multiple hosts to share the same username - Supports different passwords for same username across hosts - Enables more flexible credential management strategies ## 🛡️ Middleware & Request Handling ### IP Blocker Middleware - Created IPBlockerMiddleware to check requests against blocked IPs - Automatic redirect to 127.0.0.1 for blocked addresses - Lightweight performance impact with database lookup - Positioned early in middleware chain for efficiency ### Session Authentication Middleware - Created SessionAuthMiddleware for admin panel protection - Skips authentication check for /login and /logout routes - Redirects unauthenticated users to login page - Validates session integrity on every request - Compatible with reverse proxy configurations ### HTTPS Redirect Middleware - Created HTTPSRedirectMiddleware for admin panel security - Intelligent detection of HTTPS availability - Skips redirect for API endpoints - Handles X-Forwarded-* headers from reverse proxies - Graceful operation when HTTPS unavailable ## 🗄️ Database & Models ### New Tables - Added `failed_auths` table for authentication logging - Added `blocked_ips` table for IP block tracking - Proper foreign key relationships and indexes - Automatic timestamps on all records ### Cleanup Functions - Implemented automatic cleanup of expired IP blocks - Implemented automatic cleanup of old authentication logs - Configurable retention periods - Background cleanup execution ## 🔧 Technical Improvements ### Dependencies - Added `github.com/gorilla/sessions@v1.2.2` for session management - Updated go.mod with proper version constraints - Maintained compatibility with existing dependencies ### Handler Architecture - Separated security logic into dedicated handler files - Created `security.go` for blocking logic and logging - Created `security_dashboard.go` for UI handlers - Created `auth.go` for login/logout and session management - Created `session.go` for session store implementation - Improved code organization and maintainability ### Main Application - Updated routing to support session-based authentication - Added session initialization on startup - Configured route groups for admin panel and API - Middleware ordering optimized for performance and security ## 🐳 Docker & CI/CD ### Multi-Platform Builds & Automated Releases - Created GitHub Actions workflow (`BuildEmAll.yml`) for automated Docker builds - Supports linux/amd64, linux/386, linux/arm/v7, and linux/arm64 platforms - Automatic builds on push to master with dyndns/ directory changes - Intelligent version tagging system: - Extracts version from commit message (e.g., "v1.2.3 Feature description") - Auto-increments patch version from latest git tag - Falls back to date-based versioning (vYY.MM.DD-HHMM) if no tags exist - Tags images with both `:latest` and semantic version tags (`:vX.Y.Z`) - Automatic GitHub release creation with each build - Release includes Docker image reference and commit message as notes - Publishes to Docker Hub (w3kllc/ddns) - Cross-platform compatibility for ARM devices (Raspberry Pi, etc.) - Workflow can be triggered manually via GitHub Actions UI ### Deployment - Enhanced docker-compose.yml example with all new features - Added documentation for environment variable configuration - Included reverse proxy configuration examples - Added security best practices for production deployment - Semantic versioning with automatic release management ## 📝 Documentation ### README Enhancements - Added comprehensive Security Features section - Added Environment Variables reference with descriptions - Added Admin Panel Access documentation - Added Data Consistency & Migration guide - Added API Endpoints documentation - Added UI/UX Enhancements overview - Added Reverse Proxy Configuration examples - Added Docker Configuration best practices - Added CI/CD & Multi-Platform Support details with versioning strategy - Added Semantic Versioning documentation - Added GitHub Release automation details - Added Security Best Practices recommendations - Added Threat Intelligence rationale - Added Migration Guide from original project - Added Troubleshooting section - Added API Reference documentation - Added Roadmap for future features - Updated Credits section - Added Support and Community links ## 🔄 Backward Compatibility ### Maintained Features - DynDNS API endpoints remain unchanged (/update, /nic/update, etc.) - HTTP Basic Auth still supported for API (device compatibility) - Existing host configurations continue working without changes - Database schema additions are non-breaking - All original functionality preserved ### Breaking Changes - Admin panel URL changed from `/admin` to `/@` (intentional, more unique) - Admin authentication method changed (sessions vs basic auth) - Requires `DDNS_SESSION_SECRET` environment variable for session security ## ⚡ Performance Considerations - IP blocker checks are optimized with database indexing - Session validation cached in memory - Automatic cleanup runs asynchronously - Minimal overhead on API endpoint performance - Efficient middleware ordering ## 🎯 Testing Considerations Recommended testing areas: - Login/logout flow with and without HTTPS - IP blocking after 3 failed attempts - Session persistence with remember me - API endpoint authentication (device compatibility) - HTTPS redirect with reverse proxy headers - Password reveal/hide in security dashboard - Hostname migration for legacy uppercase entries - Multi-platform Docker image functionality --- **Total Changes:** - **21 files modified** - **20 new files created** - **~2000+ lines of code added** - **100+ hours of development time** **Compatibility:** - ✅ Backward compatible for DynDNS API - ⚠️ Admin panel URL changed (bookmark update needed) - ✅ All existing hosts continue working - ✅ Database schema additions are additive **Credits:** - Original project: dprandzioch/docker-ddns - Web UI Fork: benjaminbear/docker-ddns-server - Enhanced fork: w3K-one/docker-ddns-server - Major enhancements and security features added This represents a significant enhancement to the original project while maintaining the core DynDNS functionality and adding modern security, authentication, and user experience improvements suitable for production deployment.
226 lines
5.8 KiB
Go
226 lines
5.8 KiB
Go
package handler
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"net/http"
|
|
"time"
|
|
|
|
"github.com/labstack/echo/v4"
|
|
"github.com/labstack/gommon/log"
|
|
)
|
|
|
|
// Session key constants
|
|
const (
|
|
SessionName = "ddns_session"
|
|
SessionUserKey = "user"
|
|
SessionAuthKey = "authenticated"
|
|
SessionCreatedAt = "created_at"
|
|
SessionExpiresAt = "expires_at"
|
|
)
|
|
|
|
// ShowLoginPage renders the login page
|
|
func (h *Handler) ShowLoginPage(c echo.Context) error {
|
|
// Check if already authenticated
|
|
if h.IsAuthenticated(c) {
|
|
return c.Redirect(http.StatusFound, "/@/hosts")
|
|
}
|
|
|
|
// Check if there's an error message from failed login
|
|
errorMsg := c.QueryParam("error")
|
|
|
|
return c.Render(http.StatusOK, "login", echo.Map{
|
|
"title": h.Title,
|
|
"logoPath": h.LogoPath,
|
|
"poweredBy": h.PoweredBy,
|
|
"poweredByUrl": h.PoweredByUrl,
|
|
"error": errorMsg,
|
|
})
|
|
}
|
|
|
|
// HandleLogin processes login form submission
|
|
func (h *Handler) HandleLogin(c echo.Context) error {
|
|
username := c.FormValue("username")
|
|
password := c.FormValue("password")
|
|
rememberMe := c.FormValue("remember_me") == "on"
|
|
|
|
// Get client IP for logging
|
|
clientIP := ExtractIPFromRequest(
|
|
c.Request().RemoteAddr,
|
|
c.Request().Header.Get("X-Forwarded-For"),
|
|
c.Request().Header.Get("X-Real-IP"),
|
|
)
|
|
|
|
// Validate credentials
|
|
authenticated, err := h.authByEnv(username, password)
|
|
if err != nil {
|
|
log.Error("Authentication error:", err)
|
|
h.LogFailedAuth(clientIP, c.Request().UserAgent(), c.Path(), username, password)
|
|
return c.Redirect(http.StatusFound, "/@/login?error=authentication_error")
|
|
}
|
|
|
|
if !authenticated {
|
|
log.Warnf("Failed login attempt from IP %s, username: %s", clientIP, username)
|
|
h.LogFailedAuth(clientIP, c.Request().UserAgent(), c.Path(), username, password)
|
|
return c.Redirect(http.StatusFound, "/@/login?error=invalid_credentials")
|
|
}
|
|
|
|
// Authentication successful - create session
|
|
sess, err := h.GetSession(c)
|
|
if err != nil {
|
|
log.Error("Session creation error:", err)
|
|
return c.Redirect(http.StatusFound, "/@/login?error=session_error")
|
|
}
|
|
|
|
// Set session values
|
|
sess.Values[SessionUserKey] = username
|
|
sess.Values[SessionAuthKey] = true
|
|
sess.Values[SessionCreatedAt] = time.Now().Unix()
|
|
|
|
// Set expiration based on remember me
|
|
if rememberMe {
|
|
sess.Options.MaxAge = 30 * 24 * 60 * 60 // 30 days
|
|
sess.Values[SessionExpiresAt] = time.Now().Add(30 * 24 * time.Hour).Unix()
|
|
} else {
|
|
sess.Options.MaxAge = 24 * 60 * 60 // 24 hours
|
|
sess.Values[SessionExpiresAt] = time.Now().Add(24 * time.Hour).Unix()
|
|
}
|
|
|
|
// Set secure flag if using HTTPS
|
|
if h.IsHTTPS(c) {
|
|
sess.Options.Secure = true
|
|
}
|
|
|
|
// Save session
|
|
if err := sess.Save(c.Request(), c.Response()); err != nil {
|
|
log.Error("Session save error:", err)
|
|
return c.Redirect(http.StatusFound, "/@/login?error=session_error")
|
|
}
|
|
|
|
log.Infof("Successful login from IP %s, username: %s", clientIP, username)
|
|
|
|
// Redirect to originally requested page or default to hosts
|
|
redirect := c.QueryParam("redirect")
|
|
if redirect == "" || redirect == "/@/login" {
|
|
redirect = "/@/hosts"
|
|
}
|
|
return c.Redirect(http.StatusFound, redirect)
|
|
}
|
|
|
|
// HandleLogout destroys the session and logs out the user
|
|
func (h *Handler) HandleLogout(c echo.Context) error {
|
|
sess, err := h.GetSession(c)
|
|
if err == nil {
|
|
// Get username before destroying session
|
|
username := "unknown"
|
|
if user, ok := sess.Values[SessionUserKey].(string); ok {
|
|
username = user
|
|
}
|
|
|
|
// Destroy session
|
|
sess.Options.MaxAge = -1
|
|
sess.Values = make(map[interface{}]interface{})
|
|
sess.Save(c.Request(), c.Response())
|
|
|
|
if username != "" {
|
|
log.Infof("User %s logged out", username)
|
|
}
|
|
}
|
|
|
|
// Clear session cookie
|
|
c.SetCookie(&http.Cookie{
|
|
Name: SessionName,
|
|
Value: "",
|
|
Path: "/",
|
|
MaxAge: -1,
|
|
HttpOnly: true,
|
|
Secure: h.IsHTTPS(c),
|
|
SameSite: http.SameSiteStrictMode,
|
|
})
|
|
|
|
// ALWAYS render logout page (not redirect)
|
|
// Pass LogoutUrl so JavaScript can handle delayed redirect
|
|
return c.Render(http.StatusOK, "logout", echo.Map{
|
|
"title": h.Title,
|
|
"logoPath": h.LogoPath,
|
|
"logoutUrl": h.LogoutUrl, // Pass the logout URL to template
|
|
"poweredBy": h.PoweredBy,
|
|
"poweredByUrl": h.PoweredByUrl,
|
|
})
|
|
}
|
|
|
|
// IsAuthenticated checks if the current session is authenticated
|
|
func (h *Handler) IsAuthenticated(c echo.Context) bool {
|
|
if h.DisableAdminAuth {
|
|
return true
|
|
}
|
|
|
|
sess, err := h.GetSession(c)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
|
|
// Check if authenticated
|
|
authenticated, ok := sess.Values[SessionAuthKey].(bool)
|
|
if !ok || !authenticated {
|
|
return false
|
|
}
|
|
|
|
// Check if session has expired
|
|
if expiresAt, ok := sess.Values[SessionExpiresAt].(int64); ok {
|
|
if time.Now().Unix() > expiresAt {
|
|
log.Info("Session expired")
|
|
return false
|
|
}
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
// GetSession retrieves or creates a session for the request
|
|
func (h *Handler) GetSession(c echo.Context) (*Session, error) {
|
|
return h.SessionStore.Get(c.Request(), SessionName)
|
|
}
|
|
|
|
// GenerateCSRFToken generates a random CSRF token
|
|
func GenerateCSRFToken() (string, error) {
|
|
b := make([]byte, 32)
|
|
if _, err := rand.Read(b); err != nil {
|
|
return "", err
|
|
}
|
|
return base64.URLEncoding.EncodeToString(b), nil
|
|
}
|
|
|
|
// IsHTTPS checks if the request came via HTTPS
|
|
// Checks both direct HTTPS and reverse proxy headers
|
|
func (h *Handler) IsHTTPS(c echo.Context) bool {
|
|
// Check if direct HTTPS
|
|
if c.Request().TLS != nil {
|
|
return true
|
|
}
|
|
|
|
// Check reverse proxy headers
|
|
proto := c.Request().Header.Get("X-Forwarded-Proto")
|
|
if proto == "https" {
|
|
return true
|
|
}
|
|
|
|
// Check other common headers
|
|
if c.Request().Header.Get("X-Forwarded-Ssl") == "on" {
|
|
return true
|
|
}
|
|
|
|
if c.Request().Header.Get("X-Url-Scheme") == "https" {
|
|
return true
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
// GetHTTPSRedirectURL constructs the HTTPS version of the current URL
|
|
func (h *Handler) GetHTTPSRedirectURL(c echo.Context) string {
|
|
host := c.Request().Host
|
|
uri := c.Request().RequestURI
|
|
return "https://" + host + uri
|
|
}
|