Server: Add host whitelisting (#4476)

* Add host whitelisting middleware * Add prompt to enable hostWhitelist * perf: Freeze config array * Update src/middleware/hostWhitelist.js Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * perf: Add max known hosts limit * Add validation warning disable hint * Add conditional host whitelist middleware based on SSL configuration * Check for cache exhaustion before logging * Revert "Add conditional host whitelist middleware based on SSL configuration" This reverts commit 968104c6f4f2e4b72e1fd8ceff0a4b0ded216d69. --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2025-09-04 20:52:23 +03:00
parent e871886b13
commit d134abd50e
6 changed files with 95 additions and 0 deletions
@@ -94,6 +94,18 @@ autheliaAuth: false
 # the username and passwords for basic auth are the same as those
 # for the individual accounts
 perUserBasicAuth: false
+# Host whitelist configuration. Recommended if you're using a listen mode
+hostWhitelist:
+  # Enable or disable host whitelisting
+  enabled: false
+  # Scan incoming requests for potential host header spoofing
+  scan: true
+  # List of allowed hosts. Do not include localhost or IPs, these are safe.
+  # Use a dot to create subdomain patterns.
+  # Examples:
+  # - example.com
+  # - .trycloudflare.com
+  hosts: []

 # User session timeout *in seconds* (defaults to 24 hours).
 ## Set to a positive number to expire session after a certain time of inactivity
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <title>Forbidden</title>
+</head>
+
+<body>
+    <h1>Forbidden</h1>
+    <p>
+        If you are the system administrator, add the hostname you are accessing from to the
+        host whitelist, or disable host whitelisting in the
+        <code>config.yaml</code> file located in the root directory of your installation.
+    </p>
+    <hr />
+    <p>
+        <em>Access from this host is not allowed. This attempt has been logged.</em>
+    </p>
+</body>
+
+</html>