I would just add a for loop around your code and only return when you have
a connection you want to allow, otherwise just log / pass the error
elsewhere.
On Mon, Mar 28, 2022 at 11:26 PM John <johnsiil...@gmail.com> wrote:
> I'm looking to satisfy this:
>
> - If you are in an ACL, you can make a TLS connection
> - If you are not in an ACL, you can only a TCP connection, but not a
> TLS connection*
>
> ** It would be better if it didn't honor TCP either, unless it is a health
> probe*
>
> Basically I want to move my denials into the listener and not in the
> http.Server handlers.
>
> I thought I was clever recently, trying to do this with:
>
> func (a *aclListener) Accept() (net.Conn, error) {
> conn, err := a.ln.Accept()
> if err != nil {
> return nil, err
> }
>
> host, _, err := net.SplitHostPort(conn.RemoteAddr().String())
> if err != nil {
> return nil, fmt.Errorf("connection's remote address(%s) could not be
> split: %s", conn.RemoteAddr().String(), err)
> }
>
> // The probe connected, so close the connection and exit.
> if a.acls.isProbe(host) {
> log.Printf("TCP probe(%s) connection", host)
> conn.Close()
> return nil, ErrIsProbe
> }
>
> // Block anything that isn't in our ACL.
> if err := a.acls.ipAuth(host); err != nil {
> return nil, err
> }
> log.Println("accepting connection from: ", conn.RemoteAddr().String())
> return conn, nil
> }
>
> aclListener implements a net.Listener and I was going to allow the TCP
> probe from this
> health service, but nothing more (like seeing the TLS header).
> However, it turns out erroring on an Accept() will cause the http.Server
> to stop.
>
> Of course, if this code did work, the difference between the prober and
> non-ACL connections is the same, they both can get the TCP socket before
> being denied.
>
> Does anyone know if I can achieve this in my code without getting super
> hacky? I can see
> some ways to that, but figured someone here might have done this in a
> simple way.
>
> Cheers and thanks.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to golang-nuts+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/golang-nuts/4ab235c1-ab52-42de-a22a-a31bde21eb0cn%40googlegroups.com
> <https://groups.google.com/d/msgid/golang-nuts/4ab235c1-ab52-42de-a22a-a31bde21eb0cn%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/golang-nuts/CAGabyPowCpbccC3Hr1_QYqC0qJnqsbP8W9C7z%3DU%2BPdD_%3DWxEpQ%40mail.gmail.com.
