chore: spelling

Signed-off-by: Xe Iaso <me@xeiaso.net>
fix(default-config): also block alibaba cloud
2026-04-26 18:12:45 +00:00 · 2025-08-20 22:55:02 +00:00 · 2025-08-20 22:53:30 +00:00
10 changed files with 15 additions and 234 deletions
@@ -12,7 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]

 <!-- This changes the project to: -->
- Added a missing link to the Caddy installation environment in the installation documentation.
+
 - Downstream consumers can change the default [log/slog#Logger](https://pkg.go.dev/log/slog#Logger) instance that Anubis uses by setting `opts.Logger` to your slog instance of choice ([#864](https://github.com/TecharoHQ/anubis/issues/864)).
 - The [Thoth client](https://anubis.techaro.lol/docs/admin/thoth) is now public in the repo instead of being an internal package.
 - [Custom-AsyncHttpClient](https://github.com/AsyncHttpClient/async-http-client)'s default User-Agent has an increased weight by default ([#852](https://github.com/TecharoHQ/anubis/issues/852)).
@@ -40,13 +40,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Bump AI-robots.txt to version 1.39
 - Add a default block rule for Huawei Cloud.
 - Add a default block rule for Alibaba Cloud.
- Add X-Request-URI support so that Subrequest Authentication has path support.

 ### Security-relevant changes

 #### Fix potential double-spend for challenges

-Anubis operates by issuing a challenge and having the client present a solution for that challenge. Challenges are identified by a unique UUID, which is stored in the database.
+Anubis operates by issuing a challenge and having the client present a solution for that challenge. Challenges are identified by a unique UUID, which is tored in the database.

 The problem is that a challenge could potentially be used twice by a dedicated attacker making a targeted attack against Anubis. Challenge records did not have a "spent" or "used" field. In total, a dedicated attacker could solve a challenge once and reuse that solution across multiple sessions in order to mint additional tokens.

@@ -1,6 +1,6 @@
-# WordPress
+# Wordpress

-WordPress is the most popular blog engine on the planet.
+Wordpress is the most popular blog engine on the planet.

 ## Using a multi-site setup with Anubis

@@ -27,7 +27,7 @@ flowchart LR
    US --> |whatever you're doing| B
 ```

-WordPress may not realize that the underlying connection is being done over HTTPS. This could lead to a redirect loop in the `/wp-admin/` routes. In order to fix this, add the following to your `wp-config.php` file:
+Wordpress may not realize that the underlying connection is being done over HTTPS. This could lead to a redirect loop in the `/wp-admin/` routes. In order to fix this, add the following to your `wp-config.php` file:

 ```php
 if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
@@ -36,4 +36,4 @@ if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROT
 }
 ```

-This will make WordPress think that your connection is over HTTPS instead of plain HTTP.
+This will make Wordpress think that your connection is over HTTPS instead of plain HTTP.
@@ -178,7 +178,6 @@ Alternatively here is a key generated by your browser:
 To get Anubis filtering your traffic, you need to make sure it's added to your HTTP load balancer or platform configuration. See the [environments category](/docs/category/environments) for detailed information on individual environments.

 - [Apache](./environments/apache.mdx)
- [Caddy](./environments/caddy.mdx)
 - [Docker compose](./environments/docker-compose.mdx)
 - [Kubernetes](./environments/kubernetes.mdx)
 - [Nginx](./environments/nginx.mdx)
@@ -21,24 +21,6 @@ const (
 	querySeparatorLength  = 1 // Length of "?" for query strings
 )

-// unixRoundTripper wraps an http.Transport to handle Unix socket requests properly
-// by ensuring the URL scheme is set to "http" to avoid TLS issues.
-// Based on the UnixRoundTripper implementation in lib/http.go
-type unixRoundTripper struct {
-	Transport *http.Transport
-}
-
-// RoundTrip implements the http.RoundTripper interface
-func (t *unixRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
-	req = req.Clone(req.Context())
-	if req.Host == "" {
-		req.Host = "localhost"
-	}
-	req.URL.Host = req.Host
-	req.URL.Scheme = "http" // Ensure HTTP scheme to avoid "server gave HTTP response to HTTPS client" error
-	return t.Transport.RoundTrip(req)
-}
-
 type OGTagCache struct {
 	cache     store.JSON[map[string]string]
 	targetURL *url.URL
@@ -87,12 +69,11 @@ func NewOGTagCache(target string, conf config.OpenGraph, backend store.Interface
 	// Configure custom transport for Unix sockets
 	if parsedTargetURL.Scheme == "unix" {
 		socketPath := parsedTargetURL.Path // For unix scheme, path is the socket path
-		transport := &http.Transport{
+		client.Transport = &http.Transport{
 			DialContext: func(_ context.Context, _, _ string) (net.Conn, error) {
 				return net.Dial("unix", socketPath)
 			},
 		}
-		client.Transport = &unixRoundTripper{Transport: transport}
 	}

 	return &OGTagCache{
@@ -99,16 +99,16 @@ func TestNewOGTagCache_UnixSocket(t *testing.T) {
 	}

 	// Check if the client transport is configured for Unix sockets
-	roundTripper, ok := cache.client.Transport.(*unixRoundTripper)
+	transport, ok := cache.client.Transport.(*http.Transport)
 	if !ok {
-		t.Fatalf("expected client transport to be *unixRoundTripper, got %T", cache.client.Transport)
+		t.Fatalf("expected client transport to be *http.Transport, got %T", cache.client.Transport)
 	}
-	if roundTripper.Transport.DialContext == nil {
+	if transport.DialContext == nil {
 		t.Fatal("expected client transport DialContext to be non-nil for unix socket")
 	}

 	// Attempt a dummy dial to see if it uses the correct path (optional, more involved check)
-	dummyConn, err := roundTripper.Transport.DialContext(context.Background(), "", "")
+	dummyConn, err := transport.DialContext(context.Background(), "", "")
 	if err == nil {
 		dummyConn.Close()
 		t.Log("DialContext seems functional, but couldn't verify path without a listener")
@@ -1,98 +0,0 @@
-package ogtags
-
-import (
-	"context"
-	"net"
-	"net/http"
-	"net/url"
-	"os"
-	"path/filepath"
-	"strings"
-	"testing"
-	"time"
-	
-	"github.com/TecharoHQ/anubis/lib/policy/config"
-	"github.com/TecharoHQ/anubis/lib/store/memory"
-)
-
-// TestUnixSocketHTTPSFix tests that the fix prevents "http: server gave HTTP response to HTTPS client" errors
-// when using Unix socket targets with HTTPS input URLs
-func TestUnixSocketHTTPSFix(t *testing.T) {
-	tempDir := t.TempDir()
-	socketPath := filepath.Join(tempDir, "test.sock")
-
-	// Create a simple HTTP server listening on the Unix socket
-	server := &http.Server{
-		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			// Verify that the request comes in with HTTP (not HTTPS)
-			if r.URL.Scheme != "" && r.URL.Scheme != "http" {
-				t.Errorf("Unexpected scheme in request: %s (expected 'http' or empty)", r.URL.Scheme)
-			}
-			if r.TLS != nil {
-				t.Errorf("Request has TLS information when it shouldn't for Unix socket")
-			}
-			
-			w.Header().Set("Content-Type", "text/html")
-			w.WriteHeader(http.StatusOK)
-			w.Write([]byte(`<html><head><meta property="og:title" content="Test Title"></head></html>`))
-		}),
-	}
-
-	// Listen on Unix socket
-	listener, err := net.Listen("unix", socketPath)
-	if err != nil {
-		t.Fatalf("Failed to create Unix socket listener: %v", err)
-	}
-	defer os.Remove(socketPath)
-	defer listener.Close()
-
-	// Start the server
-	go func() {
-		server.Serve(listener)
-	}()
-	defer server.Close()
-
-	// Wait a bit for server to start
-	time.Sleep(100 * time.Millisecond)
-
-	// Create OGTagCache with Unix socket target
-	target := "unix://" + socketPath
-	cache := NewOGTagCache(target, config.OpenGraph{
-		Enabled: true,
-		TimeToLive: time.Minute,
-	}, memory.New(t.Context()))
-
-	// Test cases that previously might have caused the "HTTP response to HTTPS client" error
-	testCases := []struct {
-		name string
-		url  string
-	}{
-		{"HTTPS URL", "https://example.com/test"},
-		{"HTTPS with port", "https://example.com:443/test"},
-		{"HTTPS with query", "https://example.com/test?param=value"},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			inputURL, _ := url.Parse(tc.url)
-			
-			// This should succeed without the "server gave HTTP response to HTTPS client" error
-			ogTags, err := cache.GetOGTags(context.Background(), inputURL, "example.com")
-			
-			if err != nil {
-				if strings.Contains(err.Error(), "server gave HTTP response to HTTPS client") {
-					t.Errorf("Fix did not work: still getting HTTPS/HTTP error: %v", err)
-				} else {
-					// Other errors are acceptable for this test
-					t.Logf("Got non-HTTPS error (acceptable): %v", err)
-				}
-			} else {
-				// Success case
-				if ogTags["og:title"] != "Test Title" {
-					t.Errorf("Expected og:title 'Test Title', got: %v", ogTags["og:title"])
-				}
-				t.Logf("Success: got expected og:title = %s", ogTags["og:title"])
-			}
-		})
-	}
-}
@@ -102,13 +102,6 @@ func NewPathChecker(rexStr string) (checker.Impl, error) {
 }

 func (pc *PathChecker) Check(r *http.Request) (bool, error) {
-	originalUrl := r.Header.Get("X-Original-URI")
-	if originalUrl != "" {
-		if pc.regexp.MatchString(originalUrl) {
-			return true, nil
-		}
-	}
-
 	if pc.regexp.MatchString(r.URL.Path) {
 		return true, nil
 	}
@@ -198,96 +198,3 @@ func TestHeaderExistsChecker(t *testing.T) {
 		})
 	}
 }
-
-func TestPathChecker_XOriginalURI(t *testing.T) {
-	tests := []struct {
-		name          string
-		regex         string
-		xOriginalURI  string
-		urlPath       string
-		headerKey     string
-		expectedMatch bool
-		expectError   bool
-	}{
-		{
-			name:          "X-Original-URI matches regex (with trailing space - current typo)",
-			regex:         "^/api/.*",
-			xOriginalURI:  "/api/users",
-			urlPath:       "/different/path",
-			headerKey:     "X-Original-URI",
-			expectedMatch: true,
-			expectError:   false,
-		},
-		{
-			name:          "X-Original-URI doesn't match, falls back to URL.Path",
-			regex:         "^/admin/.*",
-			xOriginalURI:  "/api/users",
-			urlPath:       "/admin/dashboard",
-			headerKey:     "X-Original-URI",
-			expectedMatch: true,
-			expectError:   false,
-		},
-		{
-			name:          "Neither X-Original-URI nor URL.Path match",
-			regex:         "^/admin/.*",
-			xOriginalURI:  "/api/users",
-			urlPath:       "/public/info",
-			headerKey:     "X-Original-URI ",
-			expectedMatch: false,
-			expectError:   false,
-		},
-		{
-			name:          "Empty X-Original-URI, URL.Path matches",
-			regex:         "^/static/.*",
-			xOriginalURI:  "",
-			urlPath:       "/static/css/style.css",
-			headerKey:     "X-Original-URI",
-			expectedMatch: true,
-			expectError:   false,
-		},
-		{
-			name:          "Complex regex matching X-Original-URI",
-			regex:         `^/api/v[0-9]+/(users|posts)/[0-9]+$`,
-			xOriginalURI:  "/api/v1/users/123",
-			urlPath:       "/different",
-			headerKey:     "X-Original-URI",
-			expectedMatch: true,
-			expectError:   false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			// Create the PathChecker
-			pc, err := NewPathChecker(tt.regex)
-			if err != nil {
-				if !tt.expectError {
-					t.Fatalf("NewPathChecker() unexpected error: %v", err)
-				}
-				return
-			}
-
-			if tt.expectError {
-				t.Fatal("NewPathChecker() expected error but got none")
-			}
-
-			req, err := http.NewRequest("GET", "http://example.com"+tt.urlPath, nil)
-			if err != nil {
-				t.Fatalf("Failed to create request: %v", err)
-			}
-
-			if tt.xOriginalURI != "" {
-				req.Header.Set(tt.headerKey, tt.xOriginalURI)
-			}
-
-			match, err := pc.Check(req)
-			if err != nil {
-				t.Fatalf("Check() unexpected error: %v", err)
-			}
-
-			if match != tt.expectedMatch {
-				t.Errorf("Check() = %v, want %v", match, tt.expectedMatch)
-			}
-		})
-	}
-}
@@ -1,12 +1,12 @@
 {
  "name": "@techaro/anubis",
-  "version": "1.22.0-pre1",
+  "version": "1.21.3",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "@techaro/anubis",
-      "version": "1.22.0-pre1",
+      "version": "1.21.3",
      "license": "ISC",
      "dependencies": {
        "@aws-crypto/sha256-js": "^5.2.0"
@@ -1,6 +1,6 @@
 {
  "name": "@techaro/anubis",
-  "version": "1.22.0-pre1",
+  "version": "1.21.3",
  "description": "",
  "main": "index.js",
  "scripts": {
@@ -30,4 +30,4 @@
  "dependencies": {
    "@aws-crypto/sha256-js": "^5.2.0"
  }
-}
+}
Author	SHA1	Message	Date
Xe Iaso	f6ed08336d	chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-08-20 22:55:02 +00:00
Xe Iaso	4d41f48675	fix(default-config): also block alibaba cloud Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-08-20 22:53:30 +00:00