RC-0.3.0 (2)

2025-06-17 17:40:07 +02:00
parent 01b0b8228e
commit e074327e49
3 changed files with 81 additions and 60 deletions
--- a/main.go
+++ b/main.go
@@ -19,8 +19,61 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"github.com/redis/go-redis/v9"
+	"github.com/yl2chen/cidranger"
 )

+// ──────────────────────────────────────────────
+// Ranger-Cache (statt prefixCache)
+// ──────────────────────────────────────────────
+type rangerCacheEntry struct {
+	ranger   cidranger.Ranger
+	expireAt time.Time
+}
+
+var (
+	rangerCache   = map[string]rangerCacheEntry{}
+	rangerCacheMu sync.RWMutex
+)
+
+// buildCategoryRanger holt alle CIDRs aus Redis, baut einen PCTrie
+// und legt ihn 10 Minuten im Cache ab.
+func buildCategoryRanger(cat string) (cidranger.Ranger, error) {
+	rangerCacheMu.Lock()
+	// Cache-Hit?
+	if e, ok := rangerCache[cat]; ok && time.Now().Before(e.expireAt) {
+		rangerCacheMu.Unlock()
+		return e.ranger, nil
+	}
+	rangerCacheMu.Unlock()
+
+	// Redis auslesen
+	keys, err := rdb.HKeys(ctx, "bl:"+cat).Result()
+	if err != nil {
+		return nil, err
+	}
+
+	r := cidranger.NewPCTrieRanger()
+	for _, k := range keys {
+		k = strings.TrimSpace(k)
+		_, ipNet, err := net.ParseCIDR(k)
+		if err != nil {
+			fmt.Printf("⚠️ Ungültiger Redis-Prefix %s: %s\n", cat, k)
+			continue
+		}
+		_ = r.Insert(cidranger.NewBasicRangerEntry(*ipNet))
+	}
+
+	// Cache aktualisieren
+	rangerCacheMu.Lock()
+	rangerCache[cat] = rangerCacheEntry{
+		ranger:   r,
+		expireAt: time.Now().Add(10 * time.Minute),
+	}
+	rangerCacheMu.Unlock()
+
+	return r, nil
+}
+
 // Redis + Context
 var ctx = context.Background()
 var rdb = redis.NewClient(&redis.Options{
@@ -61,17 +114,6 @@ var blocklistURLs = map[string]string{
 	"bitwire": "https://raw.githubusercontent.com/bitwire-it/ipblocklist/refs/heads/main/ip-list.txt",
 }

-// Präfix-Cache
-type prefixCacheEntry struct {
-	prefixes []netip.Prefix
-	expireAt time.Time
-}
-
-var (
-	prefixCache   = map[string]prefixCacheEntry{}
-	prefixCacheMu sync.RWMutex
-)
-
 // Prometheus Metriken
 var (
 	checkRequests = prometheus.NewCounter(prometheus.CounterOpts{
@@ -311,10 +353,6 @@ func handleWhitelist(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "redis error", http.StatusInternalServerError)
 		return
 	}
-
-	// Optional: Cache leeren für die IP
-	prefixCacheMu.Lock()
-	defer prefixCacheMu.Unlock()
 	// Kein spezifischer IP-Cache in deinem Design, aber hier könnte man Cache invalidieren falls nötig

 	writeJSON(w, map[string]string{
@@ -334,7 +372,7 @@ func handleCheck(w http.ResponseWriter, r *http.Request) {
 	}

 	var cats []string
-	for a, _ := range blocklistURLs {
+	for a := range blocklistURLs {
 		cats = append(cats, a)
 	}

@@ -366,6 +404,12 @@ func handleTraefik(w http.ResponseWriter, r *http.Request) {
 	if ipStr == "" {
 		ipStr = r.RemoteAddr
 	}
+	ipStr = strings.TrimSpace(strings.Split(ipStr, ",")[0]) // evtl. mehrere IPs
+
+	// Port abschneiden – funktioniert für IPv4 und IPv6:
+	if host, _, err := net.SplitHostPort(ipStr); err == nil {
+		ipStr = host
+	}
 	ip, err := netip.ParseAddr(ipStr)
 	if err != nil {
 		http.Error(w, "invalid IP", http.StatusBadRequest)
@@ -373,7 +417,7 @@ func handleTraefik(w http.ResponseWriter, r *http.Request) {
 	}

 	var cats []string
-	for a, _ := range blocklistURLs {
+	for a := range blocklistURLs {
 		cats = append(cats, a)
 	}

@@ -400,59 +444,28 @@ func handleTraefik(w http.ResponseWriter, r *http.Request) {

 // Check-Logik
 func checkIP(ip netip.Addr, cats []string) ([]string, error) {
-	wl, err := rdb.Exists(ctx, "wl:"+ip.String()).Result()
-	if err != nil {
-		return nil, err
+	// Whitelist zuerst prüfen
+	if wl, err := rdb.Exists(ctx, "wl:"+ip.String()).Result(); err == nil && wl > 0 {
+		return nil, nil
 	}
-	if wl > 0 {
-		return []string{}, nil
-	}
-	matches := []string{}
+
+	var matches []string
+	needle := net.IP(ip.AsSlice())
+
 	for _, cat := range cats {
-		prefixes, err := loadCategoryPrefixes(cat)
+		r, err := buildCategoryRanger(cat)
 		if err != nil {
 			return nil, err
 		}
-		for _, pfx := range prefixes {
-			if pfx.Contains(ip) {
-				fmt.Printf("💡 MATCH: %s in %s (%s)\n", ip, cat, pfx)
-				matches = append(matches, cat)
-				break
-			}
+		ok, _ := r.Contains(needle)
+		if ok {
+			fmt.Printf("💡 MATCH: %s in %s\n", ip, cat)
+			matches = append(matches, cat)
 		}
 	}
 	return matches, nil
 }

-func loadCategoryPrefixes(cat string) ([]netip.Prefix, error) {
-	prefixCacheMu.Lock()
-	defer prefixCacheMu.Unlock()
-	entry, ok := prefixCache[cat]
-	if ok && time.Now().Before(entry.expireAt) {
-		return entry.prefixes, nil
-	}
-	keys, err := rdb.HKeys(ctx, "bl:"+cat).Result()
-	if err != nil {
-		return nil, err
-	}
-	var prefixes []netip.Prefix
-	for _, k := range keys {
-		k = strings.TrimSpace(k)
-		pfx, err := netip.ParsePrefix(k)
-		if err == nil {
-			prefixes = append(prefixes, pfx)
-		} else {
-			fmt.Printf("⚠️ Ungültiger Redis-Prefix %s: %s\n", cat, k)
-		}
-	}
-	prefixCache[cat] = prefixCacheEntry{
-		prefixes: prefixes,
-		expireAt: time.Now().Add(10 * time.Minute),
-		//Hier geändert von 1 * time.Second
-	}
-	return prefixes, nil
-}
-
 // JSON-Helfer
 func writeJSON(w http.ResponseWriter, v any) {
 	w.Header().Set("Content-Type", "application/json")