Re: [go-nuts] Allow a TCP connection, but not a TLS connection based on an ACL

Thu, 31 Mar 2022 00:24:44 -0700 

Hi John,

On Mon, Mar 28, 2022 at 11:26 PM John <johns...@gmail.com> wrote:

> I'm looking to satisfy this:
>
>    - If you are in an ACL, you can make a TLS connection
>
>
>    - If you are not in an ACL, you can only a TCP connection, but not a
>    TLS connection*
>
> * It would be better if it didn't honor TCP either, unless it is a health
> probe


> Basically I want to move my denials into the listener and not in the
> http.Server handlers.


> I thought I was clever recently, trying to do this with:


> func (a *aclListener) Accept() (net.Conn, error) {
> conn, err := a.ln.Accept()
> if err != nil {
> return nil, err
> }


> host, _, err := net.SplitHostPort(conn.RemoteAddr().String())
> if err != nil {
> return nil, fmt.Errorf("connection's remote address(%s) could not be
> split: %s", conn.RemoteAddr().String(), err)
> }


> // The probe connected, so close the connection and exit.
> if a.acls.isProbe(host) {
> log.Printf("TCP probe(%s) connection", host)
> conn.Close()
> return nil, ErrIsProbe
> }


>         // Block anything that isn't in our ACL.
> if err := a.acls.ipAuth(host); err != nil {
> return nil, err
> }
> log.Println("accepting connection from: ", conn.RemoteAddr().String())
> return conn, nil
> }


How about (in you (*aclListener).Accept method) looping on
net.Listener.Accept until the connection should pass your ACL. Here is some
overysimple pseudo-code version:

func (a *aclListener) Accept() (net.Conn, error) {
for {
conn, err := a.ln.Accept()
if isGood(conn) {
return conn, nil
}
}
}

The way I like to see it is that the "Accept" method means: "return the
next connection tentative which is good enough to be accepted". Thus the
meaning of "Accept" for the net.Listener, and your (*aclListener) are not
the same: net.Listener considers as acceptable any connection,
(*aclListener) accepts only connections under certain constraints.

Would this work for you?

-- Diego Joss

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CAGjxhKkBD0qUsNv4K5Wjt-wWAtK6jbng6XEs%2BvzZ1-%2BGNnAFgA%40mail.gmail.com.

Reply via email to