jbergner
042bbc1c27
All checks were successful
release-tag / release-image (push) Successful in 1m38s
467 lines
13 KiB
Go
467 lines
13 KiB
Go
package main
|
|
|
|
import (
|
|
"bufio"
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"net"
|
|
"net/http"
|
|
"net/netip"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
|
|
"github.com/prometheus/client_golang/prometheus"
|
|
"github.com/prometheus/client_golang/prometheus/promhttp"
|
|
"github.com/redis/go-redis/v9"
|
|
)
|
|
|
|
// Redis + Context
|
|
var ctx = context.Background()
|
|
var rdb = redis.NewClient(&redis.Options{
|
|
Addr: "redis:6379",
|
|
})
|
|
|
|
// URLs der Blocklisten
|
|
var blocklistURLs = map[string]string{
|
|
"bitwire": "https://raw.githubusercontent.com/bitwire-it/ipblocklist/refs/heads/main/ip-list.txt",
|
|
"ipv64_ru": "https://ipv64.net/blocklists/countries/ipv64_blocklist_RU.txt",
|
|
"ipv64_cn": "https://ipv64.net/blocklists/countries/ipv64_blocklist_CN.txt",
|
|
"blocklist_de_ssh": "https://lists.blocklist.de/lists/ssh.txt",
|
|
"blocklist_de_mail": "https://lists.blocklist.de/lists/mail.txt",
|
|
"blocklist_de_apache": "https://lists.blocklist.de/lists/apache.txt",
|
|
"blocklist_de_imap": "https://lists.blocklist.de/lists/imap.txt",
|
|
"blocklist_de_ftp": "https://lists.blocklist.de/lists/ftp.txt",
|
|
"blocklist_de_sip": "https://lists.blocklist.de/lists/sip.txt",
|
|
"blocklist_de_bots": "https://lists.blocklist.de/lists/bots.txt",
|
|
"blocklist_de_strongips": "https://lists.blocklist.de/lists/strongips.txt",
|
|
"blocklist_de_bruteforcelogin": "https://lists.blocklist.de/lists/bruteforcelogin.txt",
|
|
"firehol_org_level1": "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset",
|
|
"firehol_org_botscout_30d": "https://iplists.firehol.org/files/botscout_30d.ipset",
|
|
"firehol_org_cleantalk_30d": "https://iplists.firehol.org/files/cleantalk_30d.ipset",
|
|
"firehol_org_cleantalk_new_30d": "https://iplists.firehol.org/files/cleantalk_new_30d.ipset",
|
|
"firehol_org_abuse_30d": "https://iplists.firehol.org/files/firehol_abusers_30d.netset",
|
|
"firehol_org_gpf_comics": "https://iplists.firehol.org/files/gpf_comics.ipset",
|
|
"firehol_org_stopforumspam_365d": "https://iplists.firehol.org/files/stopforumspam_365d.ipset",
|
|
"firehol_org_tor_exit_30d": "https://iplists.firehol.org/files/tor_exits_30d.ipset",
|
|
"firehol_org_shield_30d": "https://iplists.firehol.org/files/dshield_30d.netset",
|
|
"firehol_org_firehol_webserver": "https://iplists.firehol.org/files/firehol_webserver.netset",
|
|
"firehol_org_php_dictionary_30d": "https://iplists.firehol.org/files/php_dictionary_30d.ipset",
|
|
"firehol_org_php_harvesters_30d": "https://iplists.firehol.org/files/php_harvesters_30d.ipset",
|
|
"firehol_org_php_spammers_30d": "https://iplists.firehol.org/files/php_spammers_30d.ipset",
|
|
}
|
|
|
|
// Präfix-Cache
|
|
type prefixCacheEntry struct {
|
|
prefixes []netip.Prefix
|
|
expireAt time.Time
|
|
}
|
|
|
|
var (
|
|
prefixCache = map[string]prefixCacheEntry{}
|
|
prefixCacheMu sync.Mutex
|
|
)
|
|
|
|
// Prometheus Metriken
|
|
var (
|
|
checkRequests = prometheus.NewCounter(prometheus.CounterOpts{
|
|
Name: "ipcheck_requests_total",
|
|
Help: "Total IP check requests",
|
|
})
|
|
checkBlocked = prometheus.NewCounter(prometheus.CounterOpts{
|
|
Name: "ipcheck_blocked_total",
|
|
Help: "Total blocked IPs",
|
|
})
|
|
checkWhitelist = prometheus.NewCounter(prometheus.CounterOpts{
|
|
Name: "ipcheck_whitelisted_total",
|
|
Help: "Total whitelisted IPs",
|
|
})
|
|
)
|
|
|
|
func init() {
|
|
prometheus.MustRegister(checkRequests, checkBlocked, checkWhitelist)
|
|
}
|
|
|
|
// Main
|
|
func main() {
|
|
// Import Blocklisten
|
|
if err := importBlocklists(); err != nil {
|
|
fmt.Println("Blocklisten-Import FEHLGESCHLAGEN:", err)
|
|
return
|
|
}
|
|
|
|
// Server
|
|
http.HandleFunc("/", handleGUI)
|
|
http.HandleFunc("/whitelist", handleWhitelist)
|
|
http.HandleFunc("/check/", handleCheck)
|
|
http.HandleFunc("/traefik", handleTraefik)
|
|
http.Handle("/metrics", promhttp.Handler())
|
|
|
|
fmt.Println("Server läuft auf :8080")
|
|
http.ListenAndServe(":8080", nil)
|
|
}
|
|
|
|
// Import-Logik
|
|
func importBlocklists() error {
|
|
var wg sync.WaitGroup
|
|
errCh := make(chan error, len(blocklistURLs))
|
|
|
|
for cat, url := range blocklistURLs {
|
|
wg.Add(1)
|
|
go func(c, u string) {
|
|
defer wg.Done()
|
|
if err := importCategory(c, u); err != nil {
|
|
errCh <- fmt.Errorf("%s: %v", c, err)
|
|
}
|
|
}(cat, url)
|
|
}
|
|
|
|
wg.Wait()
|
|
close(errCh)
|
|
|
|
for err := range errCh {
|
|
fmt.Println("❌", err)
|
|
}
|
|
|
|
if len(errCh) > 0 {
|
|
return fmt.Errorf("Blocklisten-Import teilweise fehlgeschlagen")
|
|
}
|
|
fmt.Println("✅ Blocklisten-Import abgeschlossen")
|
|
blocklistURLs["flodpod"] = "null"
|
|
return nil
|
|
}
|
|
|
|
func importCategory(cat, url string) error {
|
|
fmt.Printf("⬇️ Lade %s (%s)\n", cat, url)
|
|
resp, err := http.Get(url)
|
|
if err != nil {
|
|
return fmt.Errorf("HTTP-Fehler: %v", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
if resp.StatusCode != 200 {
|
|
return fmt.Errorf("HTTP %d", resp.StatusCode)
|
|
}
|
|
|
|
scanner := bufio.NewScanner(resp.Body)
|
|
pipe := rdb.Pipeline()
|
|
count, batchCount := 0, 0
|
|
const batchSize = 500
|
|
|
|
for scanner.Scan() {
|
|
line := strings.TrimSpace(scanner.Text())
|
|
if line == "" || strings.HasPrefix(line, "#") {
|
|
continue
|
|
}
|
|
prefix, valid := normalizePrefix(line)
|
|
if !valid {
|
|
fmt.Printf("⚠️ Ungültig %s: %s\n", cat, line)
|
|
continue
|
|
}
|
|
pipe.HSet(ctx, "bl:"+cat, prefix, 1)
|
|
count++
|
|
batchCount++
|
|
if batchCount >= batchSize {
|
|
if _, err := pipe.Exec(ctx); err != nil {
|
|
return fmt.Errorf("Redis-Fehler: %v", err)
|
|
}
|
|
batchCount = 0
|
|
}
|
|
if count%1000 == 0 {
|
|
fmt.Printf("📈 [%s] %d Einträge\n", cat, count)
|
|
}
|
|
}
|
|
if err := scanner.Err(); err != nil {
|
|
return fmt.Errorf("lesefehler: %v", err)
|
|
}
|
|
if batchCount > 0 {
|
|
if _, err := pipe.Exec(ctx); err != nil {
|
|
return fmt.Errorf("Redis-Fehler final: %v", err)
|
|
}
|
|
}
|
|
fmt.Printf("✅ [%s] %d Einträge importiert\n", cat, count)
|
|
return nil
|
|
}
|
|
|
|
func normalizePrefix(s string) (string, bool) {
|
|
if !strings.Contains(s, "/") {
|
|
ip := net.ParseIP(s)
|
|
if ip == nil {
|
|
return "", false
|
|
}
|
|
if ip.To4() != nil {
|
|
s += "/32"
|
|
} else {
|
|
s += "/128"
|
|
}
|
|
}
|
|
s = strings.TrimSpace(s)
|
|
_, err := netip.ParsePrefix(s)
|
|
return s, err == nil
|
|
}
|
|
|
|
func handleWhitelist(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodPost {
|
|
http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
|
|
return
|
|
}
|
|
|
|
var body struct {
|
|
IP string `json:"ip"`
|
|
}
|
|
if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
|
|
http.Error(w, "bad request", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
addr, err := netip.ParseAddr(body.IP)
|
|
if err != nil {
|
|
http.Error(w, "invalid IP", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
key := "wl:" + addr.String()
|
|
if err := rdb.Set(ctx, key, "1", 0).Err(); err != nil {
|
|
http.Error(w, "redis error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// Optional: Cache leeren für die IP
|
|
prefixCacheMu.Lock()
|
|
defer prefixCacheMu.Unlock()
|
|
// Kein spezifischer IP-Cache in deinem Design, aber hier könnte man Cache invalidieren falls nötig
|
|
|
|
writeJSON(w, map[string]string{
|
|
"status": "whitelisted",
|
|
"ip": addr.String(),
|
|
})
|
|
}
|
|
|
|
// Check-Handler
|
|
func handleCheck(w http.ResponseWriter, r *http.Request) {
|
|
checkRequests.Inc()
|
|
ipStr := strings.TrimPrefix(r.URL.Path, "/check/")
|
|
ip, err := netip.ParseAddr(ipStr)
|
|
if err != nil {
|
|
http.Error(w, "invalid IP", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
var cats []string
|
|
for a, _ := range blocklistURLs {
|
|
cats = append(cats, a)
|
|
}
|
|
|
|
//cats := []string{"firehol", "bitwire", "RU", "CN"}
|
|
matches, err := checkIP(ip, cats)
|
|
if err != nil {
|
|
http.Error(w, "server error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
if len(matches) > 0 {
|
|
checkBlocked.Inc()
|
|
} else {
|
|
wl, _ := rdb.Exists(ctx, "wl:"+ip.String()).Result()
|
|
if wl > 0 {
|
|
checkWhitelist.Inc()
|
|
}
|
|
}
|
|
writeJSON(w, map[string]any{
|
|
"ip": ip.String(),
|
|
"blocked": len(matches) > 0,
|
|
"categories": matches,
|
|
})
|
|
}
|
|
|
|
// Check-Handler
|
|
func handleTraefik(w http.ResponseWriter, r *http.Request) {
|
|
checkRequests.Inc()
|
|
ipStr := r.Header.Get("X-Forwarded-For")
|
|
if ipStr == "" {
|
|
ipStr = r.RemoteAddr
|
|
}
|
|
ip, err := netip.ParseAddr(ipStr)
|
|
if err != nil {
|
|
http.Error(w, "invalid IP", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
var cats []string
|
|
for a, _ := range blocklistURLs {
|
|
cats = append(cats, a)
|
|
}
|
|
|
|
//cats := []string{"firehol", "bitwire", "RU", "CN"}
|
|
matches, err := checkIP(ip, cats)
|
|
if err != nil {
|
|
http.Error(w, "server error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
if len(matches) > 0 {
|
|
checkBlocked.Inc()
|
|
} else {
|
|
wl, _ := rdb.Exists(ctx, "wl:"+ip.String()).Result()
|
|
if wl > 0 {
|
|
checkWhitelist.Inc()
|
|
}
|
|
}
|
|
if len(matches) > 0 {
|
|
http.Error(w, "blocked", http.StatusForbidden)
|
|
return
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
}
|
|
|
|
// Check-Logik
|
|
func checkIP(ip netip.Addr, cats []string) ([]string, error) {
|
|
wl, err := rdb.Exists(ctx, "wl:"+ip.String()).Result()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if wl > 0 {
|
|
return []string{}, nil
|
|
}
|
|
matches := []string{}
|
|
for _, cat := range cats {
|
|
prefixes, err := loadCategoryPrefixes(cat)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
for _, pfx := range prefixes {
|
|
if pfx.Contains(ip) {
|
|
fmt.Printf("💡 MATCH: %s in %s (%s)\n", ip, cat, pfx)
|
|
matches = append(matches, cat)
|
|
break
|
|
}
|
|
}
|
|
}
|
|
return matches, nil
|
|
}
|
|
|
|
func loadCategoryPrefixes(cat string) ([]netip.Prefix, error) {
|
|
prefixCacheMu.Lock()
|
|
defer prefixCacheMu.Unlock()
|
|
entry, ok := prefixCache[cat]
|
|
if ok && time.Now().Before(entry.expireAt) {
|
|
return entry.prefixes, nil
|
|
}
|
|
keys, err := rdb.HKeys(ctx, "bl:"+cat).Result()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
var prefixes []netip.Prefix
|
|
for _, k := range keys {
|
|
k = strings.TrimSpace(k)
|
|
pfx, err := netip.ParsePrefix(k)
|
|
if err == nil {
|
|
prefixes = append(prefixes, pfx)
|
|
} else {
|
|
fmt.Printf("⚠️ Ungültiger Redis-Prefix %s: %s\n", cat, k)
|
|
}
|
|
}
|
|
prefixCache[cat] = prefixCacheEntry{
|
|
prefixes: prefixes,
|
|
expireAt: time.Now().Add(1 * time.Second),
|
|
}
|
|
return prefixes, nil
|
|
}
|
|
|
|
// JSON-Helfer
|
|
func writeJSON(w http.ResponseWriter, v any) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_ = json.NewEncoder(w).Encode(v)
|
|
}
|
|
|
|
func handleGUI(w http.ResponseWriter, r *http.Request) {
|
|
html := `
|
|
<!DOCTYPE html>
|
|
<html lang="de">
|
|
<head>
|
|
<meta charset="UTF-8">
|
|
<title>IP Checker GUI</title>
|
|
<style>
|
|
body { font-family: sans-serif; max-width: 600px; margin: auto; padding: 2em; background: #f9fafb; }
|
|
h1 { font-size: 1.5em; margin-bottom: 1em; }
|
|
input, button { padding: 0.7em; margin: 0.3em 0; width: 100%; border-radius: 0.4em; border: 1px solid #ccc; }
|
|
button { background: #2563eb; color: white; border: none; cursor: pointer; }
|
|
button:hover { background: #1d4ed8; }
|
|
#result, #metrics, #history { background: white; border: 1px solid #ddd; padding: 1em; border-radius: 0.4em; margin-top: 1em; white-space: pre-wrap; }
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<h1>IP Checker + Whitelist GUI</h1>
|
|
<input id="ipInput" type="text" placeholder="Enter IP-Address...">
|
|
<button onclick="checkIP()">Check IP</button>
|
|
<button onclick="whitelistIP()">Whitelist IP</button>
|
|
|
|
<h2>Ergebnis</h2>
|
|
<div id="result">No Request</div>
|
|
|
|
<h2>Prometheus Metrics</h2>
|
|
<div id="metrics">Loading...</div>
|
|
|
|
<h2>Check History</h2>
|
|
<div id="history">No history</div>
|
|
|
|
<script>
|
|
async function checkIP() {
|
|
const ip = document.getElementById('ipInput').value.trim();
|
|
if (!ip) { alert("Please enter IP!"); return; }
|
|
const res = await fetch('/check/' + ip);
|
|
const data = await res.json();
|
|
document.getElementById('result').innerText = JSON.stringify(data, null, 2);
|
|
addHistory(ip, data);
|
|
}
|
|
|
|
async function whitelistIP() {
|
|
const ip = document.getElementById('ipInput').value.trim();
|
|
if (!ip) { alert("Please enter IP!"); return; }
|
|
const res = await fetch('/whitelist', {
|
|
method: 'POST',
|
|
headers: {'Content-Type': 'application/json'},
|
|
body: JSON.stringify({ip})
|
|
});
|
|
const data = await res.json();
|
|
document.getElementById('result').innerText = JSON.stringify(data, null, 2);
|
|
addHistory(ip, data);
|
|
}
|
|
|
|
function addHistory(ip, data) {
|
|
let history = JSON.parse(localStorage.getItem('ipHistory') || '[]');
|
|
history.unshift({ip, data, ts: new Date().toLocaleString()});
|
|
if (history.length > 10) history = history.slice(0, 10);
|
|
localStorage.setItem('ipHistory', JSON.stringify(history));
|
|
renderHistory();
|
|
}
|
|
|
|
function renderHistory() {
|
|
let history = JSON.parse(localStorage.getItem('ipHistory') || '[]');
|
|
if (history.length === 0) {
|
|
document.getElementById('history').innerText = 'Nothing checked yet';
|
|
return;
|
|
}
|
|
document.getElementById('history').innerText = history.map(e =>
|
|
e.ts + ": " + e.ip + " → blocked=" + (e.data.blocked ? "yes" : "no") +
|
|
(e.data.categories ? " [" + e.data.categories.join(", ") + "]" : "")
|
|
).join("\n");
|
|
}
|
|
|
|
async function loadMetrics() {
|
|
const res = await fetch('/metrics');
|
|
const text = await res.text();
|
|
const lines = text.split('\n').filter(l => l.includes('ipcheck_'));
|
|
document.getElementById('metrics').innerText = lines.join('\n') || 'No Data';
|
|
}
|
|
|
|
renderHistory();
|
|
setInterval(loadMetrics, 3000);
|
|
loadMetrics();
|
|
</script>
|
|
</body>
|
|
</html>
|
|
`
|
|
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
|
_, _ = w.Write([]byte(html))
|
|
}
|