akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
debd0d98fcb02f6369415e98579aa17ee54694bc
caddy-proxy-manager/proxy.ts
fuomag9 debd0d98fc security: fix 17 vulnerabilities from comprehensive pentest 
Fixes identified from full security audit covering auth, crypto,
injection, infrastructure, and configuration security.

Critical:
- C1: Fail-closed on unrecognized NODE_ENV (prevent DEV_SECRET in staging)
- C3: Validate API token expires_at (reject invalid dates that bypass expiry)

High:
- H1: Refresh JWT role from DB on each session (reflect demotions immediately)
- H2: Docker socket proxy for l4-port-manager (restrict API surface)
- H5: Block dangerous WAF custom directives (SecRuleEngine, SecAuditEngine)
- H7: Require explicit NEXTAUTH_TRUST_HOST instead of always trusting Host
- H8: Semantic validation of sync payload (block metadata SSRF, size limits)

Medium:
- M3: Rate limit password change current-password verification
- M5: Parameterized SQL in log/waf parsers (replace template literals)
- M6: Nonce-based CSP replacing unsafe-inline for script-src
- M9: Strip Caddy placeholders from rewrite path_prefix
- M10: Sanitize authentik outpostDomain (path traversal, placeholders)
- M14: Deny access on missing JWT role instead of defaulting to "user"

Low:
- L1: Require Origin header on mutating session-authenticated requests
- L4: Enforce password complexity on user password changes
- L5: Time-limited legacy SHA-256 key fallback (grace period until 2026-06-01)
- L6: Escape LIKE metacharacters in audit log search
- L7: Runtime-validate WAF excluded_rule_ids as positive integers

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 12:14:44 +01:00

92 lines
2.8 KiB
TypeScript
Raw Blame History

import { auth } from "@/src/lib/auth";
import { NextResponse } from "next/server";
import crypto from "node:crypto";
/**
* Next.js Proxy for route protection.
* Provides defense-in-depth by checking authentication at the edge
* before requests reach page components.
*
* Note: Proxy always runs on Node.js runtime.
*/
const isDev = process.env.NODE_ENV === "development";
/**
* M6: Build a nonce-based Content-Security-Policy per request.
* Next.js reads the nonce from the CSP request header and applies it
* to all inline scripts it generates.
*/
function buildCsp(nonce: string): string {
const directives = [
"default-src 'self'",
isDev
? `script-src 'self' 'nonce-${nonce}' 'unsafe-eval'`
: `script-src 'self' 'nonce-${nonce}'`,
// style-src still needs 'unsafe-inline' for React JSX inline style props
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
"font-src 'self' https://fonts.gstatic.com",
"img-src 'self' data: blob:",
"worker-src blob:",
"connect-src 'self'",
"frame-ancestors 'none'",
];
return directives.join("; ");
}
export default auth((req) => {
const isAuthenticated = !!req.auth;
const pathname = req.nextUrl.pathname;
// Allow public routes
if (
pathname === "/login" ||
pathname.startsWith("/api/auth") ||
pathname === "/api/health" ||
pathname === "/api/instances/sync" ||
pathname.startsWith("/api/v1/")
) {
return NextResponse.next();
}
// Redirect unauthenticated users to login
if (!isAuthenticated && !pathname.startsWith("/login")) {
const loginUrl = new URL("/login", req.url);
return NextResponse.redirect(loginUrl);
}
// Generate per-request nonce for CSP
const nonce = crypto.randomBytes(16).toString("base64");
const csp = buildCsp(nonce);
// Set CSP as a request header so Next.js can read the nonce
const requestHeaders = new Headers(req.headers);
requestHeaders.set("Content-Security-Policy", csp);
const response = NextResponse.next({
request: { headers: requestHeaders },
});
// Also set CSP as a response header for browser enforcement
response.headers.set("Content-Security-Policy", csp);
response.headers.set("X-Content-Type-Options", "nosniff");
response.headers.set("X-Frame-Options", "DENY");
response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
response.headers.set("Permissions-Policy", "camera=(), microphone=(), geolocation=(), interest-cohort=()");
return response;
});
export const config = {
matcher: [
/*
* Match all request paths except for the ones starting with:
* - _next/static (static files)
* - _next/image (image optimization files)
* - favicon.ico (favicon file)
* - public folder
*/
"/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
],
};
Reference in New Issue View Git Blame Copy Permalink