Hey Sean and Robert, Thanks for the suggestions.
I can see how the temporary error would work, but as Sean is saying, this is going to add delays that are going to go against what I'm wanting to do. Sean, I'm not sure I understand the part about looping my code. Here is a sample on the playground, is it possible you can show me what I'm missing: https://go.dev/play/p/_B4jkTzWcS0 Cheers. On Mon, Mar 28, 2022 at 4:47 PM 'Sean Liao' via golang-nuts < golang-nuts@googlegroups.com> wrote: > abusing temporary delays like that could result in unpredictable > performance with up to a second between accepts, not something you want if > you are flooded with things you want to deny (which is what an ACL is for). > > On Mon, Mar 28, 2022, 23:46 robert engels <reng...@ix.netcom.com> wrote: > >> You just need to return a temporary error. It should not be exiting >> anyway - unless the “done” channel is valid. >> >> ctx := context.WithValue(baseCtx, ServerContextKey, srv) >> for { >> rw, err := l.Accept() >> if err != nil { >> select { >> case <-srv.getDoneChan(): >> return ErrServerClosed >> default: >> } >> if ne, ok := err.(net.Error); ok && ne.Temporary() { >> if tempDelay == 0 { >> tempDelay = 5 * time.Millisecond >> } else { >> tempDelay *= 2 >> } >> if max := 1 * time.Second; tempDelay > max { >> tempDelay = max >> } >> srv.logf("http: Accept error: %v; retrying in >> %v", err, tempDelay) >> time.Sleep(tempDelay) >> continue >> } >> return err >> } >> >> >> >> On Mar 28, 2022, at 5:35 PM, 'Sean Liao' via golang-nuts < >> golang-nuts@googlegroups.com> wrote: >> >> I would just add a for loop around your code and only return when you >> have a connection you want to allow, otherwise just log / pass the error >> elsewhere. >> >> >> On Mon, Mar 28, 2022 at 11:26 PM John <johnsiil...@gmail.com> wrote: >> >>> I'm looking to satisfy this: >>> >>> - If you are in an ACL, you can make a TLS connection >>> - If you are not in an ACL, you can only a TCP connection, but not a >>> TLS connection* >>> >>> ** It would be better if it didn't honor TCP either, unless it is a >>> health probe* >>> >>> Basically I want to move my denials into the listener and not in the >>> http.Server handlers. >>> >>> I thought I was clever recently, trying to do this with: >>> >>> func (a *aclListener) Accept() (net.Conn, error) { >>> conn, err := a.ln.Accept() >>> if err != nil { >>> return nil, err >>> } >>> >>> host, _, err := net.SplitHostPort(conn.RemoteAddr().String()) >>> if err != nil { >>> return nil, fmt.Errorf("connection's remote address(%s) could not be >>> split: %s", conn.RemoteAddr().String(), err) >>> } >>> >>> // The probe connected, so close the connection and exit. >>> if a.acls.isProbe(host) { >>> log.Printf("TCP probe(%s) connection", host) >>> conn.Close() >>> return nil, ErrIsProbe >>> } >>> >>> // Block anything that isn't in our ACL. >>> if err := a.acls.ipAuth(host); err != nil { >>> return nil, err >>> } >>> log.Println("accepting connection from: ", conn.RemoteAddr().String()) >>> return conn, nil >>> } >>> >>> aclListener implements a net.Listener and I was going to allow the TCP >>> probe from this >>> health service, but nothing more (like seeing the TLS header). >>> However, it turns out erroring on an Accept() will cause the http.Server >>> to stop. >>> >>> Of course, if this code did work, the difference between the prober and >>> non-ACL connections is the same, they both can get the TCP socket >>> before being denied. >>> >>> Does anyone know if I can achieve this in my code without getting super >>> hacky? I can see >>> some ways to that, but figured someone here might have done this in a >>> simple way. >>> >>> Cheers and thanks. >>> >>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "golang-nuts" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to golang-nuts+unsubscr...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/golang-nuts/4ab235c1-ab52-42de-a22a-a31bde21eb0cn%40googlegroups.com >>> <https://groups.google.com/d/msgid/golang-nuts/4ab235c1-ab52-42de-a22a-a31bde21eb0cn%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "golang-nuts" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to golang-nuts+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/golang-nuts/CAGabyPowCpbccC3Hr1_QYqC0qJnqsbP8W9C7z%3DU%2BPdD_%3DWxEpQ%40mail.gmail.com >> <https://groups.google.com/d/msgid/golang-nuts/CAGabyPowCpbccC3Hr1_QYqC0qJnqsbP8W9C7z%3DU%2BPdD_%3DWxEpQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> >> -- > You received this message because you are subscribed to a topic in the > Google Groups "golang-nuts" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/golang-nuts/tqT_Cv574rU/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > golang-nuts+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/golang-nuts/CAGabyPoLQr5Te5VxXpyvoZn4Cs3Lh64GKPWk%2Bk-LyQNA3KnS1w%40mail.gmail.com > <https://groups.google.com/d/msgid/golang-nuts/CAGabyPoLQr5Te5VxXpyvoZn4Cs3Lh64GKPWk%2Bk-LyQNA3KnS1w%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- John Doak www.obscuredworld.com -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CA%2BnABuFDsBdGvsPg9Qe2X-K%2BBC3chP87zAP1w8zxHUqfMZc%3DQw%40mail.gmail.com.
