From 513c07666b6d20ca8a360935b3cc7beb4e3e968d Mon Sep 17 00:00:00 2001 From: SashegDev Date: Thu, 7 May 2026 17:14:47 +0000 Subject: [PATCH] Server: Simplify IP filtering - only blacklist - Remove whitelist (not needed for public launcher) - Only BLOCKED_IPS env var supported now --- server/main.py | 8 ++------ server/middleware.py | 45 +++++++++++++------------------------------- 2 files changed, 15 insertions(+), 38 deletions(-) diff --git a/server/main.py b/server/main.py index e4a11cf..4dc9071 100644 --- a/server/main.py +++ b/server/main.py @@ -33,17 +33,13 @@ BUILDS_DIR = Path("builds") import os import middleware as mw -# Configure allowed IPs (empty = allow all, set IPs = only these allowed) -ALLOWED_IPS = set(os.environ.get("ALLOWED_IPS", "").split(",")) - {""} -# Configure blocked IPs +# Configure blocked IPs only BLOCKED_IPS = set(os.environ.get("BLOCKED_IPS", "").split(",")) - {""} -if ALLOWED_IPS: - logger.info(f"IP whitelist enabled: {len(ALLOWED_IPS)} IPs allowed") if BLOCKED_IPS: logger.info(f"IP blacklist enabled: {len(BLOCKED_IPS)} IPs blocked") -mw.set_ip_config(allowed=ALLOWED_IPS, blocked=BLOCKED_IPS) +mw.set_ip_config(blocked=BLOCKED_IPS) @asynccontextmanager diff --git a/server/middleware.py b/server/middleware.py index a0bf852..f20786f 100644 --- a/server/middleware.py +++ b/server/middleware.py @@ -15,8 +15,7 @@ RATE_LIMIT_REQUESTS = 60 # Max requests per window RATE_LIMIT_WINDOW = 60 # Window in seconds _ip_request_counts: dict[str, list[float]] = defaultdict(list) -# IP filtering config (set from main.py) -ALLOWED_IPS: set[str] = set() +# IP blocking config (set from main.py) BLOCKED_IPS: set[str] = set() # Suspicious paths that indicate bot scanning @@ -39,13 +38,6 @@ SUSPICIOUS_PATHS = { ".git", ".svn", ".hg", } -# Known client IPs (allow by default for legitimate users) -KNOWN_CLIENT_IPS = { - "127.0.0.1", "localhost", - # Add known client IPs here or leave empty to allow all -} - - def get_client_ip(request: Request) -> str: """Extract client IP from request""" client_ip = request.client.host if request.client else "unknown" @@ -55,15 +47,9 @@ def get_client_ip(request: Request) -> str: return client_ip -def is_ip_allowed(client_ip: str) -> tuple[bool, str]: - """Check if IP is allowed""" - if BLOCKED_IPS and client_ip in BLOCKED_IPS: - return False, "blocked" - - if ALLOWED_IPS and client_ip not in ALLOWED_IPS: - return False, "not_whitelisted" - - return True, "allowed" +def is_ip_blocked(client_ip: str) -> bool: + """Check if IP is blocked""" + return client_ip in BLOCKED_IPS def check_rate_limit(client_ip: str) -> bool: @@ -108,11 +94,9 @@ def is_suspicious_path(path: str) -> bool: return False -def set_ip_config(allowed: Optional[set[str]] = None, blocked: Optional[set[str]] = None): - """Configure IP filtering (call from main.py)""" - global ALLOWED_IPS, BLOCKED_IPS - if allowed is not None: - ALLOWED_IPS = allowed +def set_ip_config(blocked: Optional[set[str]] = None): + """Configure IP blocking (call from main.py)""" + global BLOCKED_IPS if blocked is not None: BLOCKED_IPS = blocked @@ -122,17 +106,14 @@ class LoggingMiddleware(BaseHTTPMiddleware): request_id = str(uuid.uuid4())[:8] client_ip = get_client_ip(request) - # Check IP allow/block - allowed, reason = is_ip_allowed(client_ip) - if not allowed: - # Silent block - don't give attackers any info + # Check if IP is blocked + if is_ip_blocked(client_ip): return Response(status_code=404, content="") - # Check rate limit (skip for known clients) - if client_ip not in KNOWN_CLIENT_IPS: - if not check_rate_limit(client_ip): - logger.warning(f"Rate limited: {client_ip} ({request.url.path})") - return Response(status_code=429, content="Too many requests") + # Check rate limit + if not check_rate_limit(client_ip): + logger.warning(f"Rate limited: {client_ip} ({request.url.path})") + return Response(status_code=429, content="Too many requests") # Check suspicious path (silent 404 for bots) path = request.url.path