Hi John, On Mon, Mar 28, 2022 at 11:26 PM John <johns...@gmail.com> wrote:
> I'm looking to satisfy this: > > - If you are in an ACL, you can make a TLS connection > > > - If you are not in an ACL, you can only a TCP connection, but not a > TLS connection* > > * It would be better if it didn't honor TCP either, unless it is a health > probe > Basically I want to move my denials into the listener and not in the > http.Server handlers. > I thought I was clever recently, trying to do this with: > func (a *aclListener) Accept() (net.Conn, error) { > conn, err := a.ln.Accept() > if err != nil { > return nil, err > } > host, _, err := net.SplitHostPort(conn.RemoteAddr().String()) > if err != nil { > return nil, fmt.Errorf("connection's remote address(%s) could not be > split: %s", conn.RemoteAddr().String(), err) > } > // The probe connected, so close the connection and exit. > if a.acls.isProbe(host) { > log.Printf("TCP probe(%s) connection", host) > conn.Close() > return nil, ErrIsProbe > } > // Block anything that isn't in our ACL. > if err := a.acls.ipAuth(host); err != nil { > return nil, err > } > log.Println("accepting connection from: ", conn.RemoteAddr().String()) > return conn, nil > } How about (in you (*aclListener).Accept method) looping on net.Listener.Accept until the connection should pass your ACL. Here is some overysimple pseudo-code version: func (a *aclListener) Accept() (net.Conn, error) { for { conn, err := a.ln.Accept() if isGood(conn) { return conn, nil } } } The way I like to see it is that the "Accept" method means: "return the next connection tentative which is good enough to be accepted". Thus the meaning of "Accept" for the net.Listener, and your (*aclListener) are not the same: net.Listener considers as acceptable any connection, (*aclListener) accepts only connections under certain constraints. Would this work for you? -- Diego Joss -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAGjxhKkBD0qUsNv4K5Wjt-wWAtK6jbng6XEs%2BvzZ1-%2BGNnAFgA%40mail.gmail.com.