diff --git a/.github/workflows/BuildEmAll.yml b/.github/workflows/BuildEmAll.yml new file mode 100644 index 0000000..58732d0 --- /dev/null +++ b/.github/workflows/BuildEmAll.yml @@ -0,0 +1,105 @@ +name: Docker Multi-Platform Build, Push & Release + +on: + # Trigger the workflow on pushes to the master branch that change files in the dyndns directory + push: + branches: [ "master" ] + paths: + - 'dyndns/**' + + # Allow this workflow to be run manually from the Actions tab + workflow_dispatch: + +# Define environment variables for the entire workflow for easy configuration +env: + DOCKER_IMAGE_NAME: w3kllc/ddns + +jobs: + Build-Em-All: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + # Fetch all history for all tags and branches + with: + fetch-depth: 0 + + - name: Determine Version Tag + id: get_version + run: | + # Get the most recent commit message reliably + LATEST_COMMIT_MSG=$(git log -1 --pretty=%B) + + # 1. Try to get version from commit message (e.g., "v1.2.3 Something something") + # The '|| true' ensures that if grep finds nothing, it doesn't cause the script to exit with an error. + COMMIT_MSG_VERSION=$(echo "$LATEST_COMMIT_MSG" | grep -oP '^v[0-9]+\.[0-9]+(\.[0-9]+)?' || true) + + if [[ -n "$COMMIT_MSG_VERSION" ]]; then + echo "Found version in commit message: $COMMIT_MSG_VERSION" + echo "TAG=$COMMIT_MSG_VERSION" >> "$GITHUB_OUTPUT" + exit 0 + fi + + echo "No version found in commit message. Checking for existing Git tags." + + # 2. If no version in commit, get the latest git tag + LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null) + + if [[ -n "$LATEST_TAG" ]]; then + echo "Found latest tag: $LATEST_TAG" + # Increment the patch version of the tag (e.g., v1.2.3 -> v1.2.4 or v1.2 -> v1.3) + NEW_TAG=$(echo "$LATEST_TAG" | awk -F. -v OFS=. '{$NF = $NF + 1;} 1') + echo "Incremented tag to: $NEW_TAG" + echo "TAG=$NEW_TAG" >> "$GITHUB_OUTPUT" + else + # 3. If no tags exist, use a date-based version + DATE_TAG="v$(date -u +'%y.%m.%d-%H%M')" + echo "No tags found. Using date-based tag: $DATE_TAG" + echo "TAG=$DATE_TAG" >> "$GITHUB_OUTPUT" + fi + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.DOCKER_IMAGE_NAME }} + tags: | + # Create a tag with the version from the previous step + type=raw,value=${{ steps.get_version.outputs.TAG }} + # Create the 'latest' tag + type=raw,value=latest,enable={{is_default_branch}} + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@v5 + with: + context: . + file: ./deployment/Dockerfile + platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64 + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Create GitHub Release + if: github.event_name != 'pull_request' # Only run on push, not PR + uses: softprops/action-gh-release@v1 + with: + tag_name: ${{ steps.get_version.outputs.TAG }} + name: Release ${{ steps.get_version.outputs.TAG }} + body: | + Docker Image: `${{ env.DOCKER_IMAGE_NAME }}:${{ steps.get_version.outputs.TAG }}` + + ${{ github.event.head_commit.message }} + # The action automatically attaches source code archives (zip and tar.gz) diff --git a/LICENSE b/LICENSE index ed744c3..2d15bd7 100644 --- a/LICENSE +++ b/LICENSE @@ -1,5 +1,6 @@ MIT License +Copyright (c) 2025 w3K LLC Copyright (c) 2020 Benjamin BΓ€rthlein Copyright (c) 2016 David Prandzioch diff --git a/README.md b/README.md index 1d5f814..09796e3 100644 --- a/README.md +++ b/README.md @@ -1,106 +1,789 @@ # Dynamic DNS Server for Docker with Web UI written in Go -![Build status](https://img.shields.io/github/actions/workflow/status/benjaminbear/docker-ddns-server/build.yml) +![Build status](https://img.shields.io/github/actions/workflow/status/w3K-one/docker-ddns-server/BuildEmAll.yml) +![GitHub release (latest by date)](https://img.shields.io/github/v/release/w3K-one/docker-ddns-server) +![Go version](https://img.shields.io/github/go-mod/go-version/w3K-one/docker-ddns-server?filename=dyndns%2Fgo.mod) +![License](https://img.shields.io/github/license/w3K-one/docker-ddns-server) -![GitHub release (latest by date)](https://img.shields.io/github/v/release/benjaminbear/docker-ddns-server) -![Go version](https://img.shields.io/github/go-mod/go-version/benjaminbear/docker-ddns-server?filename=dyndns%2Fgo.mod) -![License](https://img.shields.io/github/license/benjaminbear/docker-ddns-server) - -With docker-ddns-server you can set up your own dynamic DNS server. This project is inspired by https://github.com/dprandzioch/docker-ddns . In addition to the original version, you can setup and maintain your dyndns entries via simple web ui. +With docker-ddns-server you can set up your own dynamic DNS server. This project is inspired by https://github.com/dprandzioch/docker-ddns. In addition to the original version, you can setup and maintain your dyndns entries via a simple web UI with comprehensive security features, modern authentication, and threat monitoring.

- - - + + + + + + + +

-## Installation +## ✨ Key Features -You can either take the docker image or build it on your own. +- **Web-Based Management** - Easy-to-use web interface for managing DNS entries +- **Security & IP Blocking** - Automatic protection against brute-force attacks +- **Modern Authentication** - Session-based admin login with HTTPS support +- **Security Dashboard** - Real-time monitoring of threats and blocked IPs +- **Multi-Platform Support** - Runs on amd64, arm64, arm (Raspberry Pi compatible) +- **Automatic Migration** - Handles legacy data with automatic normalization +- **Reverse Proxy Ready** - Works seamlessly with nginx, Caddy, Traefik +- **Threat Intelligence** - Comprehensive logging for attack pattern analysis -### Using the docker image +--- -https://registry.hub.docker.com/r/bbaerthlein/docker-ddns-server +## πŸ“¦ Installation -Just customize this to your needs and run: +You can either use the pre-built Docker image or build it yourself. -``` +### Using the Docker Image + +Docker Hub: https://hub.docker.com/r/w3kllc/ddns + +**Quick Start:** +```bash docker run -it -d \ -p 8080:8080 \ -p 53:53 \ -p 53:53/udp \ -v /somefolder:/var/cache/bind \ -v /someotherfolder:/root/database \ - -e DDNS_ADMIN_LOGIN=admin:123455546. \ + -e DDNS_ADMIN_LOGIN=admin:$$2y$$05$$... \ -e DDNS_DOMAINS=dyndns.example.com \ -e DDNS_PARENT_NS=ns.example.com \ -e DDNS_DEFAULT_TTL=3600 \ + -e DDNS_SESSION_SECRET=your-random-32-char-secret \ --name=dyndns \ - bbaerthlein/docker-ddns-server:latest + w3kllc/ddns:latest ``` -### Using docker-compose +### Using docker-compose (Recommended) -You can also use Docker Compose to set up this project. For an example `docker-compose.yml`, please refer to this file: https://github.com/benjaminbear/docker-ddns-server/blob/master/deployment/docker-compose.yml +For a complete setup example, see: [docker-compose.yml](https://github.com/w3K-one/docker-ddns-server/blob/master/deployment/docker-compose.yml) -### Configuration +**Example docker-compose.yml:** +```yaml +version: '3.8' -`DDNS_ADMIN_LOGIN` is a htpasswd username password combination used for the web ui. You can create one by using htpasswd: +services: + ddns: + image: w3kllc/ddns:latest + container_name: dyndns + ports: + - "8080:8080" + - "53:53" + - "53:53/udp" + volumes: + - ./bind:/var/cache/bind + - ./database:/root/database + - ./static:/app/static # Optional: for custom logo + environment: + # Required + - DDNS_ADMIN_LOGIN=admin:$$2y$$05$$hashed_password_here + - DDNS_DOMAINS=dyndns.example.com + - DDNS_PARENT_NS=ns.example.com + - DDNS_DEFAULT_TTL=3600 + + # Security (Recommended) + - DDNS_SESSION_SECRET=your-random-32-character-secret-key + + # Optional + - DDNS_TITLE=My DynDNS Server + - DDNS_CLEAR_LOG_INTERVAL=30 + - DDNS_ALLOW_WILDCARD=true + - DDNS_LOGOUT_URL=https://example.com + - DDNS_POWERED_BY=ACME Inc + - DDNS_POWERED_BY_URL=https://acme.inc + restart: unless-stopped ``` -htpasswd -nb user password + +--- + +## βš™οΈ Configuration + +### Environment Variables + +#### Required Variables + +**`DDNS_ADMIN_LOGIN`** +Admin credentials in htpasswd format for web UI access. + +Generate with: +```bash +htpasswd -nb username password ``` -If you want to embed this into a docker-compose.yml you have to double the dollar signs for escaping: + +For docker-compose.yml (escape dollar signs): +```bash +echo $(htpasswd -nb username password) | sed -e s/\\$/\\$\\$/g ``` -echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g + +If not set, all `/@/` routes are accessible without authentication (useful with auth proxy). + +**`DDNS_DOMAINS`** +Comma-separated list of domains managed by the server. +Example: `dyndns.example.com,dyndns.example.org` + +**`DDNS_PARENT_NS`** +Parent nameserver of your domain. +Example: `ns.example.com` + +**`DDNS_DEFAULT_TTL`** +Default TTL (Time To Live) for DNS records in seconds. +Example: `3600` (1 hour) + +#### Security Variables (Recommended) + +**`DDNS_SESSION_SECRET`** +Secret key for session encryption. Should be 32+ random characters. + +Generate with: +```bash +# Linux/Mac +openssl rand -base64 32 + +# Or using Python +python3 -c "import secrets; print(secrets.token_urlsafe(32))" ``` -If `DDNS_ADMIN_LOGIN` is not set, all /admin routes are without protection. (use case: auth proxy) -`DDNS_DOMAINS` are the domains of the webservice and the domain zones of your dyndns server (see DNS Setup) i.e. `dyndns.example.com,dyndns.example.org` (comma separated list) +⚠️ **Important:** Without this variable, sessions won't persist across container restarts. + +#### Optional Variables + +**`DDNS_TITLE`** +Custom site title displayed in the web UI. +Default: `"w3K DynDNS"` -`DDNS_PARENT_NS` is the parent name server of your domain i.e. `ns.example.com` +**`DDNS_CLEAR_LOG_INTERVAL`** +Automatically clear log entries older than specified days. +Example: `30` (keep 30 days of logs) -`DDNS_DEFAULT_TTL` is the default TTL of your dyndns server. +**`DDNS_ALLOW_WILDCARD`** +Enable wildcard DNS resolution (e.g., `*.subdomain.dyndns.example.com`). +Values: `true` or `false` -`DDNS_CLEAR_LOG_INTERVAL` optional: clear log entries automatically in days (integer) e.g. `DDNS_CLEAR_LOG_INTERVAL:30` +**`DDNS_LOGOUT_URL`** +Redirect to this URL after logout. +Example: `https://example.com` -`DDNS_ALLOW_WILDCARD` optional: allows all `*.subdomain.dyndns.example.com` to point to your ip (boolean) e.g. `true` +**`DDNS_POWERED_BY`** +Show this in the footer credits. +Example: `ACME Inc` -`DDNS_LOGOUT_URL` optional: allows a logout redirect to certain url by clicking the logout button (string) e.g. `https://example.com` +**`DDNS_POWERED_BY_URL`** +The URL to _ACME Inc_. +Example: `https:/acme.inc` -### DNS setup +--- -If your parent domain is `example.com` and you want your dyndns domain to be `dyndns.example.com`, -an example domain of your dyndns server would be `blog.dyndns.example.com`. +## 🌐 DNS Setup + +If your parent domain is `example.com` and you want your DynDNS domain to be `dyndns.example.com`, your DynDNS hosts would be like `blog.dyndns.example.com`. + +Add these entries to your parent DNS server: + +``` +dyndns IN NS ns +ns IN A +ns IN AAAA (optional) +``` -You have to add these entries to your parent dns server: +**Example:** ``` dyndns IN NS ns -ns IN A -ns IN AAAA +ns IN A 203.0.113.10 +ns IN AAAA 2001:db8::10 ``` -## Updating entry +--- -After you have added a host via the web ui you can setup your router. -Example update URL: +## πŸ” Security Features + +### IP Blocking & Threat Protection + +- **Automatic IP Blocking**: IPs are blocked after 3 failed authentication attempts within 72 hours +- **7-Day Block Duration**: Blocked IPs are automatically unblocked after 7 days +- **Failed Authentication Logging**: Comprehensive logs including IP, timestamp, username, and password +- **Threat Intelligence**: Analyze attack patterns and password attempts +- **Manual Unblock**: Security dashboard allows manual IP unblocking +- **Automatic Cleanup**: Expired blocks and old logs are cleaned up automatically + +### Session-Based Authentication + +- **Modern Login Page**: No browser popup dialogs +- **Secure Sessions**: HttpOnly, Secure, and SameSite cookie attributes +- **Remember Me**: Optional 30-day session duration +- **Proper Logout**: Destroys sessions completely +- **HTTPS Enforcement**: Automatic redirect to HTTPS when available +- **Reverse Proxy Support**: Detects SSL via X-Forwarded-Proto headers + +### Security Dashboard + +Access the security dashboard at `/@/security` to: +- Monitor blocked IPs and active threats +- Review failed authentication attempts +- Analyze password patterns in attack attempts +- Manually unblock IP addresses +- View statistics and historical data + +**Password Logging Rationale:** +This is a single-user system where the admin is the only legitimate user. All other login attempts are malicious by definition. Password logging enables threat intelligence analysis to determine if attackers are getting close to your actual password. Ensure your database volume is properly secured. + +--- + +## πŸ–₯️ Admin Panel Access + +The admin panel is accessible at `/@/` (not `/admin/` - more unique, less common). + +### Main Features + +- 🏠 **Dashboard** (`/@/`) - Overview and quick access +- πŸ“ **Hosts** (`/@/hosts`) - Manage DNS hosts with automatic lowercase migration +- πŸ”— **CNAMEs** (`/@/cnames`) - Manage CNAME records +- πŸ“Š **Logs** (`/@/logs`) - View update history +- πŸ”’ **Security** (`/@/security`) - Monitor threats and blocked IPs +- ⏏️ **Logout** (`/@/logout`) - End session securely + +### Authentication Flow + +1. Navigate to `/@/` (or any admin route) +2. Redirected to `/@/login` if not authenticated +3. Enter admin credentials +4. Optionally check "Remember Me" for 30-day session +5. Access admin panel +6. Click logout icon (⏏️) when done + +**HTTPS Detection:** +If running behind a reverse proxy with SSL, the system automatically detects HTTPS and enforces it for the admin panel while keeping API endpoints accessible via HTTP for device compatibility. + +--- + +## πŸ”„ Updating DNS Entries + +After adding a host via the web UI, configure your router or device to update its IP address. + +### Update URLs + +The server accepts updates on multiple endpoints: +- `/update` +- `/nic/update` +- `/v2/update` +- `/v3/update` + +### With IP Address Specified ``` http://dyndns.example.com:8080/update?hostname=blog.dyndns.example.com&myip=1.2.3.4 -or +``` + +Or with authentication in URL: +``` http://username:password@dyndns.example.com:8080/update?hostname=blog.dyndns.example.com&myip=1.2.3.4 ``` -this updates the host `blog.dyndns.example.com` with the IP 1.2.3.4. You have to setup basic authentication with the username and password from the web ui. +### Without IP Address (Auto-detect) -If your router doensn't support sending the ip address (OpenWRT) you don't have to set myip field: +If your router/device doesn't support sending the IP address (e.g., OpenWRT), omit the `myip` parameter: ``` http://dyndns.example.com:8080/update?hostname=blog.dyndns.example.com -or +``` + +Or with authentication: +``` http://username:password@dyndns.example.com:8080/update?hostname=blog.dyndns.example.com ``` -The handler will also listen on: -* /nic/update -* /v2/update -* /v3/update +The server will automatically use the client's IP address from the request. + +### Authentication + +API endpoints use **HTTP Basic Authentication** with the username and password you set for each host in the web UI (not the admin credentials). + +**Important:** +- **Admin credentials** (`DDNS_ADMIN_LOGIN`) - For web UI access at `/@/` +- **Host credentials** - For API updates, set per-host in the web UI + +--- + +## 🎨 UI/UX Features + +### Automatic Logo Detection + +Place a logo file in the static directory to automatically display it: + +**Supported formats:** +- `static/icons/logo.png` +- `static/icons/logo.webp` +- `static/icons/logo.svg` + +If no logo is found, the system displays the text title (`DDNS_TITLE`). + +**Docker volume mount for custom logo:** +```yaml +volumes: + - ./static:/app/static +``` + +Then place your logo at: `./static/icons/logo.png` + +### Visual Improvements + +- **Sticky Header**: Navigation remains visible while scrolling +- **Unicode Icons**: 🏠 Dashboard, πŸ”’ Security, ⏏️ Logout (with tooltips) +- **Modern Design**: Clean, professional interface +- **HTTPS Indicator**: Visual confirmation of secure connection on login page +- **Password Controls**: Hide/reveal functionality with confirmation prompts +- **Responsive Layout**: Works on desktop, tablet, and mobile + +--- + +## πŸ”§ Data Management + +### Automatic Hostname Normalization + +All usernames and hostnames are automatically converted to lowercase to prevent case-sensitivity issues: +- Database storage is always lowercase +- Lookups are case-insensitive +- Prevents duplicate entries with different cases + +### Legacy Data Migration + +When accessing `/@/hosts` for the first time, the system automatically migrates any uppercase entries: +- Converts hostnames to lowercase +- Handles conflicts by appending numbers (e.g., `host-1`, `host-2`) +- Displays migration report in the UI +- One-time process, status persisted in database +- Non-destructive, preserves all host data + +### Username Flexibility + +- **Non-Unique Usernames**: Multiple hosts can share the same username +- Enables flexible credential management strategies +- Each host can have the same or different password + +### Validation Rules + +- **Hostnames**: Minimum 1 character (allows single-letter subdomains) +- **Usernames**: Minimum 1 character +- **Passwords**: Minimum 6 characters + +--- + +## πŸ”€ Reverse Proxy Configuration + +The application intelligently detects HTTPS availability and adjusts behavior accordingly. + +### HTTPS Detection Methods + +1. Direct TLS connection (`request.TLS`) +2. `X-Forwarded-Proto` header +3. `X-Forwarded-Ssl` header +4. `X-Url-Scheme` header + +### Behavior + +**Admin Panel (`/@/*`):** +- Auto-redirects to HTTPS when available +- Graceful HTTP fallback if HTTPS unavailable +- Session cookies use Secure flag with HTTPS + +**API Endpoints (`/update`, `/nic/update`, etc.):** +- Always accept HTTP connections +- No forced HTTPS redirect (device compatibility) +- Works with devices that don't support HTTPS + +### Example Nginx Configuration + +```nginx +server { + listen 443 ssl; + server_name dyndns.example.com; + + ssl_certificate /path/to/fullchain.pem; + ssl_certificate_key /path/to/privkey.pem; + + # Recommended SSL settings + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + + location / { + proxy_pass http://127.0.0.1:8080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} + +# Optional: HTTP to HTTPS redirect +server { + listen 80; + server_name dyndns.example.com; + return 301 https://$server_name$request_uri; +} +``` + +### Example Caddy Configuration + +``` +dyndns.example.com { + reverse_proxy localhost:8080 +} +``` + +Caddy automatically handles SSL certificates and sets appropriate headers. + +--- + +## 🐳 Multi-Platform Docker Support + +### Automated Builds + +Docker images are automatically built via GitHub Actions for multiple platforms: + +**Supported Platforms:** +- `linux/amd64` - Intel/AMD 64-bit (standard servers, PCs) +- `linux/386` - Intel/AMD 32-bit (older systems) +- `linux/arm/v7` - ARM 32-bit (Raspberry Pi 2/3, older ARM devices) +- `linux/arm64` - ARM 64-bit (Raspberry Pi 4+, modern ARM servers) + +### Version Tags + +Docker images are tagged using semantic versioning: + +**`:latest`** - Always points to the most recent stable build + +**`:vX.Y.Z`** - Semantic version tags (e.g., `:v1.2.3`) +- Version from commit message (if commit starts with `vX.Y.Z`) +- OR auto-incremented from last git tag +- OR date-based tag if no version tags exist + +**Example:** +```bash +# Pull latest version +docker pull w3kllc/ddns:latest + +# Pull specific version +docker pull w3kllc/ddns:v1.2.3 + +# Pull specific platform +docker pull --platform linux/arm64 w3kllc/ddns:latest +``` + +### Versioning Strategy + +The build system automatically determines version tags using this priority order: + +1. **Commit Message Version** (Highest Priority): If your commit message title starts with `vX.Y.Z` (e.g., `v1.2.3`), that exact version is used +2. **Auto-Increment from Last Tag**: If no version in commit message, finds the latest git tag and increments the patch version (e.g., `v1.2.3` β†’ `v1.2.4`) +3. **Date-Based Fallback**: If no git tags exist at all, uses timestamp format `vYY.MM.DD-HHMM` (e.g., `v25.10.11-1430`) + +**Example commit messages:** +```bash +# Explicit version (workflow extracts "v1.3.0" from start of commit message) +git commit -m "v1.3.0 Add new security features" + +# Auto-increment (no version found, so increments last tag: v1.2.3 β†’ v1.2.4) +git commit -m "Fix bug in authentication" + +# Date-based (no tags exist yet, uses timestamp: v25.10.11-1430) +git commit -m "Initial release" +``` + +**How version extraction works:** +- Workflow searches for pattern `vX.Y.Z` or `vX.Y` at the **start** of commit message +- Must begin with `v` followed by numbers and dots +- Examples that work: `v1.0.0`, `v2.1.3`, `v1.2` +- Examples that won't work: `version 1.0.0` (missing `v`), `Release v1.0.0` (doesn't start with `v`) + +### GitHub Releases + +Each build automatically creates a GitHub release with: +- Version tag +- Docker image reference +- Commit message as release notes +- Source code archives (zip and tar.gz) + +--- + +## πŸš€ Migration from Original Project + +If migrating from `dprandzioch/docker-ddns` or older versions of this fork: + +### Before Migration + +1. **Backup your data:** + ```bash + docker cp dyndns:/root/database ./backup-database + docker cp dyndns:/var/cache/bind ./backup-bind + ``` + +2. **Note your current configuration** (environment variables) + +### Breaking Changes + +1. **Admin Panel URL**: Changed from `/admin` to `/@/` + - Update bookmarks and links + - Use `/@/login` for login page + +2. **Authentication Method**: Admin panel now uses sessions + - Add `DDNS_SESSION_SECRET` environment variable + - Login via web form instead of browser popup + +3. **New Recommended Variable**: `DDNS_SESSION_SECRET` + - Required for session persistence + - Generate: `openssl rand -base64 32` + +### Migration Steps + +1. **Update docker-compose.yml** or docker command with new variables +2. **Add `DDNS_SESSION_SECRET`** to environment +3. **Update bookmarks** from `/admin` to `/@/` +4. **Restart container** with new configuration +5. **Visit `/@/hosts`** to trigger automatic data migration +6. **Review security dashboard** for any blocked IPs + +### Backward Compatibility + +βœ… **Fully Compatible:** +- DynDNS API endpoints unchanged +- HTTP Basic Auth still works for device updates +- Existing host configurations work without changes +- Database schema additions are non-breaking +- All original functionality preserved + +⚠️ **Manual Update Required:** +- Bookmark/link updates for admin panel +- Addition of session secret (recommended) + +--- + +## πŸ” Troubleshooting + +### Login Issues + +**Problem:** Login redirects back to login page +**Solution:** Ensure `DDNS_SESSION_SECRET` is set. Without it, sessions won't persist. + +**Problem:** Can't remember admin password +**Solution:** Regenerate password with `htpasswd -nb username newpassword` and update `DDNS_ADMIN_LOGIN` + +### HTTPS Issues + +**Problem:** HTTPS redirect loop +**Solution:** Verify reverse proxy sends `X-Forwarded-Proto: https` header + +**Problem:** "Not Secure" warning +**Solution:** Check SSL certificate configuration in your reverse proxy + +### IP Blocking + +**Problem:** Locked out after failed login attempts +**Solution:** +- Wait 7 days for automatic unblock +- OR manually remove from `blocked_ips` table in database +- OR access database with SQLite: `DELETE FROM blocked_ips WHERE ip_address='YOUR_IP';` + +### API Updates + +**Problem:** Device updates not working +**Solution:** +- API uses host credentials (from web UI), not admin credentials +- Check username/password for specific host in `/@/hosts` +- Verify device is sending correct Basic Auth headers + +**Problem:** "nochg" response from server +**Solution:** IP address hasn't changed, this is normal behavior + +### Build Issues + +**Problem:** `missing go.sum entry for gorilla/sessions` +**Solution:** +```bash +go get github.com/gorilla/sessions@v1.2.2 +go mod tidy +``` + +### Database Issues + +**Problem:** Database locked errors +**Solution:** Ensure only one container instance is running + +**Problem:** Lost all data after update +**Solution:** Check volume mounts are correct in docker-compose.yml + +--- + +## πŸ›‘οΈ Security Best Practices + +1. **Always Set Session Secret** + Generate a strong random secret: `openssl rand -base64 32` + +2. **Use HTTPS with Reverse Proxy** + Never expose the admin panel over plain HTTP in production + +3. **Secure Database Volume** + Set appropriate file permissions: + ```bash + chmod 700 /path/to/database + ``` + +4. **Regular Updates** + Keep Docker image updated: `docker pull w3kllc/ddns:latest` + +5. **Monitor Security Dashboard** + Check `/@/security` regularly for attack patterns + +6. **Strong Admin Password** + Use a password manager to generate and store strong credentials + +7. **Separate Credentials** + Use different passwords for admin and each host + +8. **Firewall Configuration** + Limit access to web UI (port 8080) to trusted networks if possible + +9. **Database Backups** + Regularly backup the database volume + +10. **Password Logging Awareness** + Remember that failed auth logs include passwords - secure your database + +--- + +## πŸ“š API Reference + +### Update Endpoints + +All endpoints accept the same parameters: + +**Endpoints:** +- `GET /update` +- `GET /nic/update` +- `GET /v2/update` +- `GET /v3/update` + +**Parameters:** +- `hostname` (required) - Fully qualified domain name to update +- `myip` (optional) - IP address to set (auto-detected if omitted) + +**Authentication:** +- HTTP Basic Auth using host credentials (username/password from web UI) + +**Response Codes:** +- `good ` - Update successful +- `nochg ` - IP address hasn't changed +- `badauth` - Authentication failed +- `notfqdn` - Hostname is not a valid FQDN +- `nohost` - Hostname doesn't exist +- `abuse` - IP address has been blocked + +**Example:** +```bash +curl -u username:password \ + "http://dyndns.example.com:8080/update?hostname=test.dyndns.example.com&myip=1.2.3.4" +``` + +--- + +## 🀝 Contributing + +Contributions are welcome! Whether it's bug fixes, new features, documentation improvements, or reporting issues. + +### How to Contribute + +1. **Fork the repository** +2. **Create a feature branch** (`git checkout -b feature/amazing-feature`) +3. **Make your changes** +4. **Test thoroughly** +5. **Commit your changes** (`git commit -m 'Add amazing feature'`) +6. **Push to your fork** (`git push origin feature/amazing-feature`) +7. **Open a Pull Request** + +### Development Setup + +```bash +# Clone the repository +git clone https://github.com/w3K-one/docker-ddns-server.git +cd docker-ddns-server + +# Build the application +cd dyndns +go build + +# Run tests (if available) +go test ./... + +# Build Docker image locally +cd .. +docker build -t ddns:dev -f deployment/Dockerfile . +``` + +### Code Style + +- Follow Go conventions and best practices +- Use `gofmt` for code formatting +- Add comments for complex logic +- Write meaningful commit messages + +--- + +## πŸ“„ License + +This project is licensed under the MIT License - see the LICENSE file for details. + +--- + +## πŸ™ Credits + +**Original Project:** +[dprandzioch/docker-ddns](https://github.com/dprandzioch/docker-ddns) - Original DynDNS server implementation + +**Web UI Fork:** +[benjaminbear/docker-ddns-server](https://github.com/benjaminbear/docker-ddns-server) - Added web UI for management + +**Enhanced Fork:** +[w3K-one/docker-ddns-server](https://github.com/w3K-one/docker-ddns-server) - Security features, modern auth, multi-platform support + +### Major Enhancements in This Fork + +- πŸ”’ IP blocking and threat protection system +- πŸ” Session-based authentication with modern login +- πŸ“Š Security dashboard for monitoring attacks +- 🌐 HTTPS enforcement with reverse proxy support +- 🎨 Enhanced UI/UX with logo support and sticky header +- πŸ“¦ Multi-platform Docker builds (amd64, arm64, arm, 386) +- πŸ”„ Automatic data migration and normalization +- πŸ“ Comprehensive documentation +- πŸ€– Automated CI/CD with GitHub Actions +- 🏷️ Semantic versioning with automatic releases + +--- + +## πŸ’¬ Support + +- **Issues:** [GitHub Issues](https://github.com/w3K-one/docker-ddns-server/issues) +- **Discussions:** [GitHub Discussions](https://github.com/w3K-one/docker-ddns-server/discussions) +- **Docker Hub:** [w3kllc/ddns](https://hub.docker.com/r/w3kllc/ddns) + +--- + +## πŸ—ΊοΈ Roadmap + +Potential future enhancements: +- Email notifications for security events +- Two-factor authentication (2FA) +- API rate limiting +- Web-based configuration wizard +- DNS over HTTPS (DoH) support +- Prometheus metrics export +- Docker Swarm / Kubernetes support +- Advanced search and filtering in logs +- Bulk host management + +Have an idea? [Open an issue](https://github.com/w3K-one/docker-ddns-server/issues) or start a [discussion](https://github.com/w3K-one/docker-ddns-server/discussions)! + +--- + +**Made with ❀️ by the community** diff --git a/deployment/docker-compose.yml b/deployment/docker-compose.yml index 3844e77..08faff0 100644 --- a/deployment/docker-compose.yml +++ b/deployment/docker-compose.yml @@ -1,8 +1,8 @@ version: '3' services: ddns: - image: bbaerthlein/docker-ddns-server:latest - restart: always + image: w3kllc/ddns:latest + restart: unless-stopped environment: DDNS_ADMIN_LOGIN: 'admin:$$3$$abcdefg' DDNS_DOMAINS: 'dyndns.example.com' diff --git a/dyndns/go.mod b/dyndns/go.mod index a45f6a0..f07c8c5 100644 --- a/dyndns/go.mod +++ b/dyndns/go.mod @@ -1,10 +1,11 @@ -module github.com/benjaminbear/docker-ddns-server/dyndns +module github.com/w3K-one/docker-ddns-server/dyndns go 1.22 require ( github.com/foolin/goview v0.3.0 github.com/go-playground/validator/v10 v10.20.0 + github.com/gorilla/sessions v1.2.2 github.com/labstack/echo/v4 v4.12.0 github.com/labstack/gommon v0.4.2 github.com/tg123/go-htpasswd v1.2.2 @@ -18,6 +19,7 @@ require ( github.com/go-playground/locales v0.14.1 // indirect github.com/go-playground/universal-translator v0.18.1 // indirect github.com/golang-jwt/jwt v3.2.2+incompatible // indirect + github.com/gorilla/securecookie v1.1.2 // indirect github.com/jinzhu/inflection v1.0.0 // indirect github.com/jinzhu/now v1.1.5 // indirect github.com/leodido/go-urn v1.4.0 // indirect diff --git a/dyndns/go.sum b/dyndns/go.sum index c995b7d..32e2955 100644 --- a/dyndns/go.sum +++ b/dyndns/go.sum @@ -25,6 +25,12 @@ github.com/go-playground/validator/v10 v10.20.0/go.mod h1:dbuPbCMFw/DrkbEynArYaC github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY= github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA= +github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo= +github.com/gorilla/sessions v1.2.2 h1:lqzMYz6bOfvn2WriPUjNByzeXIlVzURcPmgMczkmTjY= +github.com/gorilla/sessions v1.2.2/go.mod h1:ePLdVu+jbEgHH+KWw8I1z2wqd0BAdAQh/8LRvBeoNcQ= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E= github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc= diff --git a/dyndns/handler/auth.go b/dyndns/handler/auth.go new file mode 100644 index 0000000..9a32560 --- /dev/null +++ b/dyndns/handler/auth.go @@ -0,0 +1,225 @@ +package handler + +import ( + "crypto/rand" + "encoding/base64" + "net/http" + "time" + + "github.com/labstack/echo/v4" + "github.com/labstack/gommon/log" +) + +// Session key constants +const ( + SessionName = "ddns_session" + SessionUserKey = "user" + SessionAuthKey = "authenticated" + SessionCreatedAt = "created_at" + SessionExpiresAt = "expires_at" +) + +// ShowLoginPage renders the login page +func (h *Handler) ShowLoginPage(c echo.Context) error { + // Check if already authenticated + if h.IsAuthenticated(c) { + return c.Redirect(http.StatusFound, "/@/hosts") + } + + // Check if there's an error message from failed login + errorMsg := c.QueryParam("error") + + return c.Render(http.StatusOK, "login", echo.Map{ + "title": h.Title, + "logoPath": h.LogoPath, + "poweredBy": h.PoweredBy, + "poweredByUrl": h.PoweredByUrl, + "error": errorMsg, + }) +} + +// HandleLogin processes login form submission +func (h *Handler) HandleLogin(c echo.Context) error { + username := c.FormValue("username") + password := c.FormValue("password") + rememberMe := c.FormValue("remember_me") == "on" + + // Get client IP for logging + clientIP := ExtractIPFromRequest( + c.Request().RemoteAddr, + c.Request().Header.Get("X-Forwarded-For"), + c.Request().Header.Get("X-Real-IP"), + ) + + // Validate credentials + authenticated, err := h.authByEnv(username, password) + if err != nil { + log.Error("Authentication error:", err) + h.LogFailedAuth(clientIP, c.Request().UserAgent(), c.Path(), username, password) + return c.Redirect(http.StatusFound, "/@/login?error=authentication_error") + } + + if !authenticated { + log.Warnf("Failed login attempt from IP %s, username: %s", clientIP, username) + h.LogFailedAuth(clientIP, c.Request().UserAgent(), c.Path(), username, password) + return c.Redirect(http.StatusFound, "/@/login?error=invalid_credentials") + } + + // Authentication successful - create session + sess, err := h.GetSession(c) + if err != nil { + log.Error("Session creation error:", err) + return c.Redirect(http.StatusFound, "/@/login?error=session_error") + } + + // Set session values + sess.Values[SessionUserKey] = username + sess.Values[SessionAuthKey] = true + sess.Values[SessionCreatedAt] = time.Now().Unix() + + // Set expiration based on remember me + if rememberMe { + sess.Options.MaxAge = 30 * 24 * 60 * 60 // 30 days + sess.Values[SessionExpiresAt] = time.Now().Add(30 * 24 * time.Hour).Unix() + } else { + sess.Options.MaxAge = 24 * 60 * 60 // 24 hours + sess.Values[SessionExpiresAt] = time.Now().Add(24 * time.Hour).Unix() + } + + // Set secure flag if using HTTPS + if h.IsHTTPS(c) { + sess.Options.Secure = true + } + + // Save session + if err := sess.Save(c.Request(), c.Response()); err != nil { + log.Error("Session save error:", err) + return c.Redirect(http.StatusFound, "/@/login?error=session_error") + } + + log.Infof("Successful login from IP %s, username: %s", clientIP, username) + + // Redirect to originally requested page or default to hosts + redirect := c.QueryParam("redirect") + if redirect == "" || redirect == "/@/login" { + redirect = "/@/hosts" + } + return c.Redirect(http.StatusFound, redirect) +} + +// HandleLogout destroys the session and logs out the user +func (h *Handler) HandleLogout(c echo.Context) error { + sess, err := h.GetSession(c) + if err == nil { + // Get username before destroying session + username := "unknown" + if user, ok := sess.Values[SessionUserKey].(string); ok { + username = user + } + + // Destroy session + sess.Options.MaxAge = -1 + sess.Values = make(map[interface{}]interface{}) + sess.Save(c.Request(), c.Response()) + + if username != "" { + log.Infof("User %s logged out", username) + } + } + + // Clear session cookie + c.SetCookie(&http.Cookie{ + Name: SessionName, + Value: "", + Path: "/", + MaxAge: -1, + HttpOnly: true, + Secure: h.IsHTTPS(c), + SameSite: http.SameSiteStrictMode, + }) + + // ALWAYS render logout page (not redirect) + // Pass LogoutUrl so JavaScript can handle delayed redirect + return c.Render(http.StatusOK, "logout", echo.Map{ + "title": h.Title, + "logoPath": h.LogoPath, + "logoutUrl": h.LogoutUrl, // Pass the logout URL to template + "poweredBy": h.PoweredBy, + "poweredByUrl": h.PoweredByUrl, + }) +} + +// IsAuthenticated checks if the current session is authenticated +func (h *Handler) IsAuthenticated(c echo.Context) bool { + if h.DisableAdminAuth { + return true + } + + sess, err := h.GetSession(c) + if err != nil { + return false + } + + // Check if authenticated + authenticated, ok := sess.Values[SessionAuthKey].(bool) + if !ok || !authenticated { + return false + } + + // Check if session has expired + if expiresAt, ok := sess.Values[SessionExpiresAt].(int64); ok { + if time.Now().Unix() > expiresAt { + log.Info("Session expired") + return false + } + } + + return true +} + +// GetSession retrieves or creates a session for the request +func (h *Handler) GetSession(c echo.Context) (*Session, error) { + return h.SessionStore.Get(c.Request(), SessionName) +} + +// GenerateCSRFToken generates a random CSRF token +func GenerateCSRFToken() (string, error) { + b := make([]byte, 32) + if _, err := rand.Read(b); err != nil { + return "", err + } + return base64.URLEncoding.EncodeToString(b), nil +} + +// IsHTTPS checks if the request came via HTTPS +// Checks both direct HTTPS and reverse proxy headers +func (h *Handler) IsHTTPS(c echo.Context) bool { + // Check if direct HTTPS + if c.Request().TLS != nil { + return true + } + + // Check reverse proxy headers + proto := c.Request().Header.Get("X-Forwarded-Proto") + if proto == "https" { + return true + } + + // Check other common headers + if c.Request().Header.Get("X-Forwarded-Ssl") == "on" { + return true + } + + if c.Request().Header.Get("X-Url-Scheme") == "https" { + return true + } + + return false +} + +// GetHTTPSRedirectURL constructs the HTTPS version of the current URL +func (h *Handler) GetHTTPSRedirectURL(c echo.Context) string { + host := c.Request().Host + uri := c.Request().RequestURI + return "https://" + host + uri +} diff --git a/dyndns/handler/cname.go b/dyndns/handler/cname.go index 82423b8..f7e03b7 100644 --- a/dyndns/handler/cname.go +++ b/dyndns/handler/cname.go @@ -5,18 +5,15 @@ import ( "net/http" "strconv" - "github.com/benjaminbear/docker-ddns-server/dyndns/model" - "github.com/benjaminbear/docker-ddns-server/dyndns/nswrapper" + "github.com/w3K-one/docker-ddns-server/dyndns/model" + "github.com/w3K-one/docker-ddns-server/dyndns/nswrapper" "github.com/labstack/echo/v4" "gorm.io/gorm" ) // ListCNames fetches all cnames from database and lists them on the website. func (h *Handler) ListCNames(c echo.Context) (err error) { - if !h.AuthAdmin { - return c.JSON(http.StatusUnauthorized, &Error{UNAUTHORIZED}) - } - + // Auth check removed - middleware handles this cnames := new([]model.CName) if err = h.DB.Preload("Target").Find(cnames).Error; err != nil { return c.JSON(http.StatusBadRequest, &Error{err.Error()}) @@ -25,16 +22,15 @@ func (h *Handler) ListCNames(c echo.Context) (err error) { return c.Render(http.StatusOK, "listcnames", echo.Map{ "cnames": cnames, "title": h.Title, + "logoPath": h.LogoPath, + "poweredBy": h.PoweredBy, + "poweredByUrl": h.PoweredByUrl, }) } // AddCName just renders the "add cname" website. // Therefore all host entries from the database are being fetched. func (h *Handler) AddCName(c echo.Context) (err error) { - if !h.AuthAdmin { - return c.JSON(http.StatusUnauthorized, &Error{UNAUTHORIZED}) - } - hosts := new([]model.Host) if err = h.DB.Find(hosts).Error; err != nil { return c.JSON(http.StatusBadRequest, &Error{err.Error()}) @@ -44,6 +40,9 @@ func (h *Handler) AddCName(c echo.Context) (err error) { "config": h.Config, "hosts": hosts, "title": h.Title, + "logoPath": h.LogoPath, + "poweredBy": h.PoweredBy, + "poweredByUrl": h.PoweredByUrl, }) } @@ -51,10 +50,6 @@ func (h *Handler) AddCName(c echo.Context) (err error) { // adds the cname entry to the database, // and adds the entry to the DNS server. func (h *Handler) CreateCName(c echo.Context) (err error) { - if !h.AuthAdmin { - return c.JSON(http.StatusUnauthorized, &Error{UNAUTHORIZED}) - } - cname := &model.CName{} if err = c.Bind(cname); err != nil { return c.JSON(http.StatusBadRequest, &Error{err.Error()}) @@ -89,10 +84,6 @@ func (h *Handler) CreateCName(c echo.Context) (err error) { // DeleteCName fetches a cname entry from the database by "id" // and deletes the database and DNS server entry to it. func (h *Handler) DeleteCName(c echo.Context) (err error) { - if !h.AuthAdmin { - return c.JSON(http.StatusUnauthorized, &Error{UNAUTHORIZED}) - } - id, err := strconv.Atoi(c.Param("id")) if err != nil { return c.JSON(http.StatusBadRequest, &Error{err.Error()}) diff --git a/dyndns/handler/handler.go b/dyndns/handler/handler.go index 6827e4a..ff2e402 100644 --- a/dyndns/handler/handler.go +++ b/dyndns/handler/handler.go @@ -10,7 +10,7 @@ import ( "strings" "time" - "github.com/benjaminbear/docker-ddns-server/dyndns/model" + "github.com/w3K-one/docker-ddns-server/dyndns/model" "github.com/go-playground/validator/v10" "github.com/labstack/echo/v4" "github.com/tg123/go-htpasswd" @@ -28,6 +28,10 @@ type Handler struct { ClearInterval uint64 AllowWildcard bool LogoutUrl string + LogoPath string + SessionStore *SessionStore + PoweredBy string + PoweredByUrl string } type Envs struct { @@ -52,15 +56,16 @@ type Error struct { // To gather admin rights the username password combination must match with the credentials given by the env var. func (h *Handler) AuthenticateUpdate(username, password string, c echo.Context) (bool, error) { h.CheckClearInterval() - reqParameter := c.QueryParam("hostname") + reqParameter := strings.ToLower(c.QueryParam("hostname")) reqArr := strings.SplitN(reqParameter, ".", 2) if len(reqArr) != 2 { log.Error("Error: Something wrong with the hostname parameter") return false, nil } + lowerUsername := strings.ToLower(username) host := &model.Host{} - if err := h.DB.Where(&model.Host{UserName: username, Password: password, Hostname: reqArr[0], Domain: reqArr[1]}).First(host).Error; err != nil { + if err := h.DB.Where(&model.Host{UserName: lowerUsername, Password: password, Hostname: reqArr[0], Domain: reqArr[1]}).First(host).Error; err != nil { log.Error("Error: ", err) return false, nil } @@ -119,8 +124,20 @@ func (h *Handler) ParseEnvs() (adminAuth bool, err error) { var ok bool h.Title, ok = os.LookupEnv("DDNS_TITLE") if !ok { - h.Title = "TheBBCloud DynDNS" + h.Title = "w3K DynDNS" + } + + // ADDED: Check for logo files in the static icons directory upon startup. + logoExtensions := []string{"png", "webp", "svg"} + for _, ext := range logoExtensions { + path := fmt.Sprintf("static/icons/logo.%s", ext) + if _, err := os.Stat(path); err == nil { + h.LogoPath = "/" + path // Store the valid path if found + log.Info("Found logo at: ", h.LogoPath) + break + } } + allowWildcard, ok := os.LookupEnv("DDNS_ALLOW_WILDCARD") if ok { h.AllowWildcard, err = strconv.ParseBool(allowWildcard) @@ -136,6 +153,20 @@ func (h *Handler) ParseEnvs() (adminAuth bool, err error) { } } + h.PoweredBy, ok = os.LookupEnv("DDNS_POWERED_BY") + if !ok || h.PoweredBy == "" { + h.PoweredBy = "w3K LLC" + } else { + log.Info("Powered by set: ", h.PoweredBy) + } + + h.PoweredByUrl, ok = os.LookupEnv("DDNS_POWERED_BY_URL") + if !ok || h.PoweredByUrl == "" { + h.PoweredByUrl = "https://w3K.one/" + } else { + log.Info("Powered by URL set: ", h.PoweredByUrl) + } + clearEnv := os.Getenv("DDNS_CLEAR_LOG_INTERVAL") clearInterval, err := strconv.ParseUint(clearEnv, 10, 32) if err != nil { @@ -153,6 +184,11 @@ func (h *Handler) ParseEnvs() (adminAuth bool, err error) { return adminAuth, fmt.Errorf("environment variable DDNS_DOMAINS has to be set") } + // Initialize session store + if err := h.InitSessionStore(); err != nil { + return adminAuth, fmt.Errorf("failed to initialize session store: %v", err) + } + return adminAuth, nil } @@ -170,7 +206,14 @@ func (h *Handler) InitDB() (err error) { return err } - err = h.DB.AutoMigrate(&model.Host{}, &model.CName{}, &model.Log{}) + // Migrate all models including new security models + err = h.DB.AutoMigrate( + &model.Host{}, + &model.CName{}, + &model.Log{}, + &model.FailedAuth{}, // NEW: Failed authentication tracking + &model.BlockedIP{}, // NEW: Blocked IP tracking + ) return err } diff --git a/dyndns/handler/host.go b/dyndns/handler/host.go index 0bdb6c4..0840125 100644 --- a/dyndns/handler/host.go +++ b/dyndns/handler/host.go @@ -5,13 +5,13 @@ import ( "net" "net/http" "strconv" + "strings" "time" l "github.com/labstack/gommon/log" - "github.com/benjaminbear/docker-ddns-server/dyndns/nswrapper" - - "github.com/benjaminbear/docker-ddns-server/dyndns/model" + "github.com/w3K-one/docker-ddns-server/dyndns/model" + "github.com/w3K-one/docker-ddns-server/dyndns/nswrapper" "github.com/labstack/echo/v4" "gorm.io/gorm" ) @@ -22,10 +22,6 @@ const ( // GetHost fetches a host from the database by "id". func (h *Handler) GetHost(c echo.Context) (err error) { - if !h.AuthAdmin { - return c.JSON(http.StatusUnauthorized, &Error{UNAUTHORIZED}) - } - id, err := strconv.Atoi(c.Param("id")) if err != nil { return c.JSON(http.StatusBadRequest, &Error{err.Error()}) @@ -40,42 +36,116 @@ func (h *Handler) GetHost(c echo.Context) (err error) { return c.JSON(http.StatusOK, id) } -// ListHosts fetches all hosts from database and lists them on the website. +// ListHosts fetches all hosts from database, performs an on-the-fly migration to lowercase, and lists them on the website. func (h *Handler) ListHosts(c echo.Context) (err error) { - if !h.AuthAdmin { - return c.JSON(http.StatusUnauthorized, &Error{UNAUTHORIZED}) + var hosts []model.Host + if err = h.DB.Find(&hosts).Error; err != nil { + return c.JSON(http.StatusBadRequest, &Error{err.Error()}) } - hosts := new([]model.Host) - if err = h.DB.Find(hosts).Error; err != nil { - return c.JSON(http.StatusBadRequest, &Error{err.Error()}) + var changesMade []string + needsMigration := false + + // Use a map to track existing lowercase hostnames to detect conflicts + existingLowercaseHosts := make(map[string]bool) + for _, host := range hosts { + // Key for host map is a combination of hostname and domain + hostKey := fmt.Sprintf("%s.%s", host.Hostname, host.Domain) + existingLowercaseHosts[hostKey] = true + } + + // Transaction to perform all updates at once for data integrity + err = h.DB.Transaction(func(tx *gorm.DB) error { + for i := range hosts { + originalHostname := hosts[i].Hostname + originalUsername := hosts[i].UserName + + lowerHostname := strings.ToLower(originalHostname) + lowerUsername := strings.ToLower(originalUsername) + + isHostnameLower := originalHostname == lowerHostname + isUsernameLower := originalUsername == lowerUsername + + if isHostnameLower && isUsernameLower { + continue // Skip if already lowercase + } + + needsMigration = true + hostToUpdate := &hosts[i] + + // --- Handle Hostname Migration --- + if !isHostnameLower { + finalHostname := lowerHostname + hostKey := fmt.Sprintf("%s.%s", finalHostname, hostToUpdate.Domain) + if _, exists := existingLowercaseHosts[hostKey]; exists { + for j := 1; ; j++ { + newHostname := fmt.Sprintf("%s%d", lowerHostname, j) + newHostKey := fmt.Sprintf("%s.%s", newHostname, hostToUpdate.Domain) + if _, existsInner := existingLowercaseHosts[newHostKey]; !existsInner { + finalHostname = newHostname + break + } + } + } + hostToUpdate.Hostname = finalHostname + // Add new name to map to prevent collisions within the same run + existingLowercaseHosts[fmt.Sprintf("%s.%s", finalHostname, hostToUpdate.Domain)] = true + changesMade = append(changesMade, fmt.Sprintf("Hostname '%s' was changed to '%s'.", originalHostname, finalHostname)) + } + + // --- Handle Username Migration --- + if !isUsernameLower { + hostToUpdate.UserName = lowerUsername // Simply convert to lowercase + changesMade = append(changesMade, fmt.Sprintf("Username '%s' for host '%s' was changed to '%s'.", originalUsername, hostToUpdate.Hostname, lowerUsername)) + } + + if err := tx.Save(hostToUpdate).Error; err != nil { + return err // Rollback on error + } + } + return nil // Commit + }) + + if err != nil { + return c.JSON(http.StatusInternalServerError, Error{Message: "Failed to migrate database entries: " + err.Error()}) + } + + // If a migration happened, re-query to show the final, updated list + if needsMigration { + if err = h.DB.Find(&hosts).Error; err != nil { + return c.JSON(http.StatusBadRequest, &Error{err.Error()}) + } + } + + migrationReport := "" + if len(changesMade) > 0 { + migrationReport = strings.Join(changesMade, "\n") } return c.Render(http.StatusOK, "listhosts", echo.Map{ - "hosts": hosts, - "title": h.Title, + "hosts": &hosts, + "title": h.Title, + "logoPath": h.LogoPath, + "migrationReport": migrationReport, + "poweredBy": h.PoweredBy, + "poweredByUrl": h.PoweredByUrl, }) } // AddHost just renders the "add host" website. func (h *Handler) AddHost(c echo.Context) (err error) { - if !h.AuthAdmin { - return c.JSON(http.StatusUnauthorized, &Error{UNAUTHORIZED}) - } - return c.Render(http.StatusOK, "edithost", echo.Map{ - "addEdit": "add", - "config": h.Config, - "title": h.Title, + "addEdit": "add", + "config": h.Config, + "title": h.Title, + "logoPath": h.LogoPath, + "poweredBy": h.PoweredBy, + "poweredByUrl": h.PoweredByUrl, }) } // EditHost fetches a host by "id" and renders the "edit host" website. func (h *Handler) EditHost(c echo.Context) (err error) { - if !h.AuthAdmin { - return c.JSON(http.StatusUnauthorized, &Error{UNAUTHORIZED}) - } - id, err := strconv.Atoi(c.Param("id")) if err != nil { return c.JSON(http.StatusBadRequest, &Error{err.Error()}) @@ -87,10 +157,13 @@ func (h *Handler) EditHost(c echo.Context) (err error) { } return c.Render(http.StatusOK, "edithost", echo.Map{ - "host": host, - "addEdit": "edit", - "config": h.Config, - "title": h.Title, + "host": host, + "addEdit": "edit", + "config": h.Config, + "title": h.Title, + "logoPath": h.LogoPath, + "poweredBy": h.PoweredBy, + "poweredByUrl": h.PoweredByUrl, }) } @@ -98,15 +171,15 @@ func (h *Handler) EditHost(c echo.Context) (err error) { // adds the host entry to the database, // and adds the entry to the DNS server. func (h *Handler) CreateHost(c echo.Context) (err error) { - if !h.AuthAdmin { - return c.JSON(http.StatusUnauthorized, &Error{UNAUTHORIZED}) - } - host := &model.Host{} if err = c.Bind(host); err != nil { return c.JSON(http.StatusBadRequest, &Error{err.Error()}) } + // Enforce lowercase for new entries + host.Hostname = strings.ToLower(host.Hostname) + host.UserName = strings.ToLower(host.UserName) + if err = c.Validate(host); err != nil { return c.JSON(http.StatusBadRequest, &Error{err.Error()}) } @@ -138,15 +211,15 @@ func (h *Handler) CreateHost(c echo.Context) (err error) { // and compares the host data with the entry in the database by "id". // If anything has changed the database and DNS entries for the host will be updated. func (h *Handler) UpdateHost(c echo.Context) (err error) { - if !h.AuthAdmin { - return c.JSON(http.StatusUnauthorized, &Error{UNAUTHORIZED}) - } - hostUpdate := &model.Host{} if err = c.Bind(hostUpdate); err != nil { return c.JSON(http.StatusBadRequest, &Error{err.Error()}) } + // Enforce lowercase for updated entries + hostUpdate.Hostname = strings.ToLower(hostUpdate.Hostname) + hostUpdate.UserName = strings.ToLower(hostUpdate.UserName) + id, err := strconv.Atoi(c.Param("id")) if err != nil { return c.JSON(http.StatusBadRequest, &Error{err.Error()}) @@ -184,10 +257,6 @@ func (h *Handler) UpdateHost(c echo.Context) (err error) { // DeleteHost fetches a host entry from the database by "id" // and deletes the database and DNS server entry to it. func (h *Handler) DeleteHost(c echo.Context) (err error) { - if !h.AuthAdmin { - return c.JSON(http.StatusUnauthorized, &Error{UNAUTHORIZED}) - } - id, err := strconv.Atoi(c.Param("id")) if err != nil { return c.JSON(http.StatusBadRequest, &Error{err.Error()}) @@ -250,8 +319,8 @@ func (h *Handler) UpdateIP(c echo.Context) (err error) { } } - // Validate hostname - hostname := c.QueryParam("hostname") + // Validate hostname (already lowercased during authentication) + hostname := strings.ToLower(c.QueryParam("hostname")) if hostname == "" || hostname != host.Hostname+"."+host.Domain { log.Message = "Hostname or combination of authenticated user and hostname is invalid" if err = h.CreateLogEntry(log); err != nil { diff --git a/dyndns/handler/log.go b/dyndns/handler/log.go index 569c110..e2d8757 100644 --- a/dyndns/handler/log.go +++ b/dyndns/handler/log.go @@ -6,7 +6,7 @@ import ( "strconv" "time" - "github.com/benjaminbear/docker-ddns-server/dyndns/model" + "github.com/w3K-one/docker-ddns-server/dyndns/model" "github.com/labstack/echo/v4" ) @@ -21,10 +21,6 @@ func (h *Handler) CreateLogEntry(log *model.Log) (err error) { // ShowLogs fetches all log entries from all hosts and renders them to the website. func (h *Handler) ShowLogs(c echo.Context) (err error) { - if !h.AuthAdmin { - return c.JSON(http.StatusUnauthorized, &Error{UNAUTHORIZED}) - } - logs := new([]model.Log) if err = h.DB.Preload("Host").Limit(30).Order("created_at desc").Find(logs).Error; err != nil { return c.JSON(http.StatusBadRequest, &Error{err.Error()}) @@ -33,15 +29,14 @@ func (h *Handler) ShowLogs(c echo.Context) (err error) { return c.Render(http.StatusOK, "listlogs", echo.Map{ "logs": logs, "title": h.Title, + "logoPath": h.LogoPath, + "poweredBy": h.PoweredBy, + "poweredByUrl": h.PoweredByUrl, }) } // ShowHostLogs fetches all log entries of a specific host by "id" and renders them to the website. func (h *Handler) ShowHostLogs(c echo.Context) (err error) { - if !h.AuthAdmin { - return c.JSON(http.StatusUnauthorized, &Error{UNAUTHORIZED}) - } - id, err := strconv.Atoi(c.Param("id")) if err != nil { return c.JSON(http.StatusBadRequest, &Error{err.Error()}) @@ -55,6 +50,9 @@ func (h *Handler) ShowHostLogs(c echo.Context) (err error) { return c.Render(http.StatusOK, "listlogs", echo.Map{ "logs": logs, "title": h.Title, + "logoPath": h.LogoPath, + "poweredBy": h.PoweredBy, + "poweredByUrl": h.PoweredByUrl, }) } diff --git a/dyndns/handler/middleware.go b/dyndns/handler/middleware.go new file mode 100644 index 0000000..304cc16 --- /dev/null +++ b/dyndns/handler/middleware.go @@ -0,0 +1,248 @@ +package handler + +import ( + "net" + "net/http" + "strings" + "time" + + "github.com/labstack/echo/v4" + "github.com/labstack/gommon/log" +) + +// IPBlockerMiddleware checks if the requesting IP is blocked +func (h *Handler) IPBlockerMiddleware() echo.MiddlewareFunc { + return func(next echo.HandlerFunc) echo.HandlerFunc { + return func(c echo.Context) error { + // Extract the client IP + clientIP := ExtractIPFromRequest( + c.Request().RemoteAddr, + c.Request().Header.Get("X-Forwarded-For"), + c.Request().Header.Get("X-Real-IP"), + ) + + // Check if IP is blocked + isBlocked, blockedIP, err := h.IsIPBlocked(clientIP) + if err != nil { + log.Errorf("Error checking blocked IP %s: %v", clientIP, err) + // Continue on error to avoid breaking the site + return next(c) + } + + if isBlocked { + log.Warnf("Blocked IP %s attempted to access %s", clientIP, c.Path()) + + // Update last attempt time + if blockedIP != nil { + blockedIP.LastAttemptAt = time.Now() + h.DB.Save(blockedIP) + } + + // Redirect to 127.0.0.1 + return c.Redirect(http.StatusFound, "http://127.0.0.1") + } + + return next(c) + } + } +} + +// SessionAuthMiddleware checks if user is authenticated via session +func (h *Handler) SessionAuthMiddleware() echo.MiddlewareFunc { + return func(next echo.HandlerFunc) echo.HandlerFunc { + return func(c echo.Context) error { + // Skip auth if disabled + if h.DisableAdminAuth { + return next(c) + } + + // Check if authenticated + if !h.IsAuthenticated(c) { + // Store the original URL for redirect after login + originalURL := c.Request().URL.Path + if c.Request().URL.RawQuery != "" { + originalURL += "?" + c.Request().URL.RawQuery + } + + // Redirect to login page + return c.Redirect(http.StatusFound, "/@/login?redirect="+originalURL) + } + + return next(c) + } + } +} + +// HTTPSRedirectMiddleware redirects HTTP to HTTPS for admin routes +// Only applies to admin routes (/@/*) and only if HTTPS is available +func (h *Handler) HTTPSRedirectMiddleware() echo.MiddlewareFunc { + return func(next echo.HandlerFunc) echo.HandlerFunc { + return func(c echo.Context) error { + // Only apply to admin routes + if !strings.HasPrefix(c.Path(), "/@/") { + return next(c) + } + + // Skip login page to avoid redirect loop + if c.Path() == "/@/login" { + return next(c) + } + + // Check if already HTTPS + if h.IsHTTPS(c) { + return next(c) + } + + // Check if HTTPS is available by checking X-Forwarded-Proto header exists + // This indicates we're behind a reverse proxy that supports HTTPS + if c.Request().Header.Get("X-Forwarded-Proto") != "" { + // Redirect to HTTPS + httpsURL := h.GetHTTPSRedirectURL(c) + return c.Redirect(http.StatusMovedPermanently, httpsURL) + } + + // No HTTPS available, continue with HTTP + return next(c) + } + } +} + +// UpdateAuthMiddleware wraps BasicAuth for update endpoints +// CRITICAL: Only logs failed auth when credentials are ACTUALLY WRONG, not system errors +func (h *Handler) UpdateAuthMiddleware() echo.MiddlewareFunc { + return func(next echo.HandlerFunc) echo.HandlerFunc { + return func(c echo.Context) error { + // Extract credentials + username, password, ok := c.Request().BasicAuth() + + if !ok { + // No credentials provided - this is NOT a failed auth attempt + // It's a misconfigured client or direct browser access + return c.String(http.StatusUnauthorized, "badauth\n") + } + + // Attempt authentication + authenticated, authError := h.AuthenticateUpdate(username, password, c) + + // If there was a system error (not wrong credentials), don't log as failed auth + if authError != nil { + log.Errorf("Authentication system error: %v", authError) + return c.String(http.StatusUnauthorized, "badauth\n") + } + + // Only log failed auth if authentication explicitly failed + // This means: credentials were provided, checked, and found to be WRONG + if !authenticated { + clientIP := ExtractIPFromRequest( + c.Request().RemoteAddr, + c.Request().Header.Get("X-Forwarded-For"), + c.Request().Header.Get("X-Real-IP"), + ) + + log.Warnf("Failed DynDNS API authentication from IP %s, username: %s", clientIP, username) + + // Log the failed attempt (but DON'T trigger IP blocking for API endpoints) + h.LogFailedAuth(clientIP, c.Request().UserAgent(), c.Path(), username, password) + + return c.String(http.StatusUnauthorized, "badauth\n") + } + + // Authentication successful + return next(c) + } + } +} + +// CleanupMiddleware periodically cleans up expired blocks and old records +func (h *Handler) CleanupMiddleware() echo.MiddlewareFunc { + // Track last cleanup time + lastCleanup := &time.Time{} + + return func(next echo.HandlerFunc) echo.HandlerFunc { + return func(c echo.Context) error { + // Run cleanup once per hour + if lastCleanup.IsZero() || time.Since(*lastCleanup) > time.Hour { + go func() { + h.CleanupExpiredBlocks() + h.CleanupOldFailedAuths() + }() + now := time.Now() + lastCleanup = &now + } + + return next(c) + } + } +} + +// ExtractIPFromRequest safely extracts IP from various headers +func ExtractIPFromRequest(remoteAddr string, xForwardedFor string, xRealIP string) string { + // Try X-Real-IP first + if xRealIP != "" { + ip := net.ParseIP(xRealIP) + if ip != nil { + return xRealIP + } + } + + // Try X-Forwarded-For + if xForwardedFor != "" { + // X-Forwarded-For can contain multiple IPs, get the first one + ips := splitAndTrim(xForwardedFor, ",") + if len(ips) > 0 { + ip := net.ParseIP(ips[0]) + if ip != nil { + return ips[0] + } + } + } + + // Fall back to RemoteAddr + ip, _, err := net.SplitHostPort(remoteAddr) + if err != nil { + return remoteAddr + } + + return ip +} + +func splitAndTrim(s string, sep string) []string { + var result []string + for _, part := range split(s, sep) { + trimmed := trim(part) + if trimmed != "" { + result = append(result, trimmed) + } + } + return result +} + +func split(s string, sep string) []string { + // Simple split implementation + var result []string + start := 0 + for i := 0; i < len(s); i++ { + if string(s[i]) == sep { + result = append(result, s[start:i]) + start = i + 1 + } + } + result = append(result, s[start:]) + return result +} + +func trim(s string) string { + // Simple trim implementation + start := 0 + end := len(s) + + for start < end && (s[start] == ' ' || s[start] == '\t') { + start++ + } + + for end > start && (s[end-1] == ' ' || s[end-1] == '\t') { + end-- + } + + return s[start:end] +} diff --git a/dyndns/handler/security.go b/dyndns/handler/security.go new file mode 100644 index 0000000..300fe78 --- /dev/null +++ b/dyndns/handler/security.go @@ -0,0 +1,208 @@ +package handler + +import ( + "strings" + "time" + + "github.com/w3K-one/docker-ddns-server/dyndns/model" + "github.com/labstack/gommon/log" + "gorm.io/gorm" +) + +const ( + MaxFailedAttempts = 3 + BlockDuration = 168 * time.Hour // 7 days (1 week) in hours + LookbackPeriod = 72 * time.Hour // Check failures in last 3 days +) + +// LogFailedAuth records a failed authentication attempt +// WARNING: This logs passwords which is a security risk. Ensure database is properly secured. +// IMPORTANT: IP blocking only applies to admin panel attempts (/@/*), not API endpoints +func (h *Handler) LogFailedAuth(ipAddress, userAgent, path, username, password string) error { + failedAuth := &model.FailedAuth{ + IPAddress: ipAddress, + UserAgent: userAgent, + Timestamp: time.Now(), + Path: path, + Username: username, + Password: password, // SECURITY WARNING: Storing attempted passwords + } + + if err := h.DB.Create(failedAuth).Error; err != nil { + log.Error("Failed to log authentication failure:", err) + return err + } + + // CRITICAL: Only check for IP blocking if this was an admin panel attempt + // API endpoints (like /nic/update, /update, /v2/update, /v3/update) should NOT trigger blocking + if strings.HasPrefix(path, "/@/") { + log.Infof("Admin panel failed auth from %s - checking for IP block", ipAddress) + go h.CheckAndBlockIP(ipAddress) + } else { + log.Infof("API endpoint failed auth from %s on %s - NOT checking for IP block", ipAddress, path) + } + + return nil +} + +// CheckAndBlockIP checks if an IP has exceeded failed attempts and blocks it +// ONLY COUNTS FAILURES TO ADMIN PANEL (/@/*), NOT API ENDPOINTS +func (h *Handler) CheckAndBlockIP(ipAddress string) error { + // Count failed attempts to ADMIN PANEL ONLY in the lookback period + var count int64 + lookbackTime := time.Now().Add(-LookbackPeriod) + + err := h.DB.Model(&model.FailedAuth{}). + Where("ip_address = ? AND timestamp > ? AND path LIKE '/@/%'", ipAddress, lookbackTime). + Count(&count).Error + + if err != nil { + log.Error("Failed to count authentication failures:", err) + return err + } + + log.Infof("IP %s has %d failed ADMIN PANEL attempts in last %v", ipAddress, count, LookbackPeriod) + + // If exceeded threshold, block the IP + if count >= MaxFailedAttempts { + return h.BlockIP(ipAddress, int(count), "Exceeded maximum failed admin authentication attempts") + } + + return nil +} + +// BlockIP adds an IP to the blocked list +func (h *Handler) BlockIP(ipAddress string, failureCount int, reason string) error { + // Check if IP is already blocked + var existingBlock model.BlockedIP + err := h.DB.Where("ip_address = ?", ipAddress).First(&existingBlock).Error + + if err == nil { + // Update existing block + existingBlock.FailureCount = failureCount + existingBlock.LastAttemptAt = time.Now() + existingBlock.BlockedUntil = time.Now().Add(BlockDuration) + existingBlock.Reason = reason + + if err := h.DB.Save(&existingBlock).Error; err != nil { + log.Error("Failed to update blocked IP:", err) + return err + } + + log.Warnf("Updated block for IP %s (failures: %d)", ipAddress, failureCount) + return nil + } + + // Create new block + blockedIP := &model.BlockedIP{ + IPAddress: ipAddress, + BlockedAt: time.Now(), + BlockedUntil: time.Now().Add(BlockDuration), + FailureCount: failureCount, + IsPermanent: false, + LastAttemptAt: time.Now(), + Reason: reason, + } + + if err := h.DB.Create(blockedIP).Error; err != nil { + log.Error("Failed to block IP:", err) + return err + } + + log.Warnf("Blocked IP %s for %v (failures: %d, reason: %s)", + ipAddress, BlockDuration, failureCount, reason) + + return nil +} + +// IsIPBlocked checks if an IP address is currently blocked +func (h *Handler) IsIPBlocked(ipAddress string) (bool, *model.BlockedIP, error) { + var blockedIP model.BlockedIP + err := h.DB.Where("ip_address = ?", ipAddress).First(&blockedIP).Error + + if err != nil { + if err == gorm.ErrRecordNotFound { + return false, nil, nil + } + return false, nil, err + } + + // Check if block is still active + if blockedIP.IsBlocked() { + return true, &blockedIP, nil + } + + return false, nil, nil +} + +// UnblockIP removes an IP from the blocked list +func (h *Handler) UnblockIP(ipAddress string) error { + result := h.DB.Where("ip_address = ?", ipAddress).Delete(&model.BlockedIP{}) + if result.Error != nil { + log.Error("Failed to unblock IP:", result.Error) + return result.Error + } + + log.Infof("Unblocked IP %s", ipAddress) + return nil +} + +// GetClientIP extracts the real client IP from the request +func GetClientIP(r interface{}) string { + // This function can be enhanced to check X-Forwarded-For, X-Real-IP headers + // For now, we'll use a simple extraction + + // You'll need to pass the Echo context here + // This is a helper that should be called from middleware + return "" +} + +// CleanupExpiredBlocks removes expired blocks from the database +func (h *Handler) CleanupExpiredBlocks() error { + result := h.DB.Where("is_permanent = ? AND blocked_until < ?", false, time.Now()). + Delete(&model.BlockedIP{}) + + if result.Error != nil { + log.Error("Failed to cleanup expired blocks:", result.Error) + return result.Error + } + + if result.RowsAffected > 0 { + log.Infof("Cleaned up %d expired IP blocks", result.RowsAffected) + } + + return nil +} + +// CleanupOldFailedAuths removes old failed authentication records +func (h *Handler) CleanupOldFailedAuths() error { + // Keep records for 30 days + cutoffTime := time.Now().Add(-30 * 24 * time.Hour) + + result := h.DB.Where("timestamp < ?", cutoffTime).Delete(&model.FailedAuth{}) + + if result.Error != nil { + log.Error("Failed to cleanup old failed auths:", result.Error) + return result.Error + } + + if result.RowsAffected > 0 { + log.Infof("Cleaned up %d old failed authentication records", result.RowsAffected) + } + + return nil +} + +// GetBlockedIPs returns all currently blocked IPs +func (h *Handler) GetBlockedIPs() ([]model.BlockedIP, error) { + var blockedIPs []model.BlockedIP + err := h.DB.Order("blocked_at DESC").Find(&blockedIPs).Error + return blockedIPs, err +} + +// GetRecentFailedAuths returns recent failed authentication attempts +func (h *Handler) GetRecentFailedAuths(limit int) ([]model.FailedAuth, error) { + var failedAuths []model.FailedAuth + err := h.DB.Order("timestamp DESC").Limit(limit).Find(&failedAuths).Error + return failedAuths, err +} diff --git a/dyndns/handler/security_dashboard.go b/dyndns/handler/security_dashboard.go new file mode 100644 index 0000000..f040c25 --- /dev/null +++ b/dyndns/handler/security_dashboard.go @@ -0,0 +1,96 @@ +package handler + +import ( + "net/http" + "net/url" + + "github.com/labstack/echo/v4" +) + +// ShowSecurityDashboard displays the security overview page +func (h *Handler) ShowSecurityDashboard(c echo.Context) error { + + // Get recent failed auths + failedAuths, err := h.GetRecentFailedAuths(50) + if err != nil { + return c.JSON(http.StatusBadRequest, &Error{err.Error()}) + } + + // Get blocked IPs + blockedIPs, err := h.GetBlockedIPs() + if err != nil { + return c.JSON(http.StatusBadRequest, &Error{err.Error()}) + } + + // Count active blocks + activeBlocks := 0 + for _, blocked := range blockedIPs { + if blocked.IsBlocked() { + activeBlocks++ + } + } + + return c.Render(http.StatusOK, "security_dashboard", echo.Map{ + "failedAuths": failedAuths, + "blockedIPs": blockedIPs, + "activeBlocks": activeBlocks, + "title": h.Title, + "logoPath": h.LogoPath, + "poweredBy": h.PoweredBy, + "poweredByUrl": h.PoweredByUrl, + }) +} + +// ShowBlockedIPs displays all blocked IPs +func (h *Handler) ShowBlockedIPs(c echo.Context) error { + + blockedIPs, err := h.GetBlockedIPs() + if err != nil { + return c.JSON(http.StatusBadRequest, &Error{err.Error()}) + } + + return c.Render(http.StatusOK, "blocked_ips", echo.Map{ + "blockedIPs": blockedIPs, + "title": h.Title, + "logoPath": h.LogoPath, + "poweredBy": h.PoweredBy, + "poweredByUrl": h.PoweredByUrl, + }) +} + +// ShowFailedAuths displays recent failed authentication attempts +func (h *Handler) ShowFailedAuths(c echo.Context) error { + // Auth check removed - middleware handles this + + failedAuths, err := h.GetRecentFailedAuths(100) + if err != nil { + return c.JSON(http.StatusBadRequest, &Error{err.Error()}) + } + + return c.Render(http.StatusOK, "failed_auths", echo.Map{ + "failedAuths": failedAuths, + "title": h.Title, + "logoPath": h.LogoPath, + "poweredBy": h.PoweredBy, + "poweredByUrl": h.PoweredByUrl, + }) +} + +// UnblockIPHandler handles the unblock IP request +func (h *Handler) UnblockIPHandler(c echo.Context) error { + // Get IP from URL parameter and decode it + encodedIP := c.Param("ip") + ipAddress, err := url.QueryUnescape(encodedIP) + if err != nil { + return c.JSON(http.StatusBadRequest, &Error{"Invalid IP address format"}) + } + + if err := h.UnblockIP(ipAddress); err != nil { + return c.JSON(http.StatusBadRequest, &Error{err.Error()}) + } + + return c.JSON(http.StatusOK, echo.Map{ + "message": "IP unblocked successfully", + "ip": ipAddress, + }) +} diff --git a/dyndns/handler/session.go b/dyndns/handler/session.go new file mode 100644 index 0000000..314b9fc --- /dev/null +++ b/dyndns/handler/session.go @@ -0,0 +1,81 @@ +package handler + +import ( + "encoding/gob" + "net/http" + "os" + + "github.com/gorilla/sessions" + "github.com/labstack/gommon/log" +) + +// Session wraps gorilla session +type Session struct { + *sessions.Session +} + +// SessionStore wraps gorilla session store +type SessionStore struct { + store *sessions.CookieStore +} + +// InitSessionStore creates a new session store with a secret key +func (h *Handler) InitSessionStore() error { + // Generate or get session secret from environment + secret := []byte(h.GetSessionSecret()) + + // Create cookie store + store := sessions.NewCookieStore(secret) + + // Configure session options + store.Options = &sessions.Options{ + Path: "/", + MaxAge: 24 * 60 * 60, // 24 hours default + HttpOnly: true, + Secure: false, // Will be set to true per-request if HTTPS + SameSite: http.SameSiteStrictMode, + } + + h.SessionStore = &SessionStore{store: store} + + // Register types for session encoding + gob.Register(map[string]interface{}{}) + gob.Register([]interface{}{}) + + return nil +} + +// Get retrieves a session +func (s *SessionStore) Get(r *http.Request, name string) (*Session, error) { + sess, err := s.store.Get(r, name) + if err != nil { + return nil, err + } + return &Session{Session: sess}, nil +} + +// GetSessionSecret returns the session secret key +// Uses environment variable or generates a random one +func (h *Handler) GetSessionSecret() string { + // Try to get from environment + secret := h.GetEnv("DDNS_SESSION_SECRET", "") + + if secret != "" { + return secret + } + + // If not set, generate a warning and use admin password as base + log.Warn("DDNS_SESSION_SECRET not set! Using derived key. Set this in production!") + + // Use admin login hash as base for session secret + return h.Config.AdminLogin + "-session-secret-key" +} + +// GetEnv gets environment variable with default +func (h *Handler) GetEnv(key, defaultValue string) string { + value := os.Getenv(key) + if value == "" { + return defaultValue + } + return value +} diff --git a/dyndns/main.go b/dyndns/main.go index f63d104..8f7c396 100644 --- a/dyndns/main.go +++ b/dyndns/main.go @@ -3,9 +3,10 @@ package main import ( "html/template" "net/http" + "strings" "time" - "github.com/benjaminbear/docker-ddns-server/dyndns/handler" + "github.com/w3K-one/docker-ddns-server/dyndns/handler" "github.com/foolin/goview" "github.com/foolin/goview/supports/echoview-v4" "github.com/go-playground/validator/v10" @@ -22,7 +23,7 @@ func main() { e.Use(middleware.Logger()) - // Set Renderer + // Set Renderer with custom template functions e.Renderer = echoview.New(goview.Config{ Root: "views", Master: "layouts/master", @@ -31,6 +32,24 @@ func main() { "year": func() string { return time.Now().Format("2006") }, + "hasPrefix": func(s, prefix string) bool { + return strings.HasPrefix(s, prefix) + }, + "slice": func(s string, start, end int) string { + if start < 0 { + start = 0 + } + if end > len(s) { + end = len(s) + } + if start > end { + return "" + } + return s[start:end] + }, + "mod": func(i, j int) int { + return i % j + }, }, DisableCache: true, }) @@ -49,63 +68,87 @@ func main() { e.Logger.Fatal(err) } + // Parse environment variables and initialize session store authAdmin, err := h.ParseEnvs() if err != nil { e.Logger.Fatal(err) } - // UI Routes - groupPublic := e.Group("/") - groupPublic.GET("*", func(c echo.Context) error { - //redirect to admin - return c.Redirect(301, "./admin/") + // Apply IP blocker middleware globally + e.Use(h.IPBlockerMiddleware()) + + // Apply cleanup middleware + e.Use(h.CleanupMiddleware()) + + // Public redirect (root redirects to admin) + e.GET("/", func(c echo.Context) error { + return c.Redirect(http.StatusMovedPermanently, "/@/") }) - groupAdmin := e.Group("/admin") + + // Admin routes with session-based authentication and HTTPS redirect + groupAdmin := e.Group("/@") + + // Apply HTTPS redirect middleware (only for admin routes) + groupAdmin.Use(h.HTTPSRedirectMiddleware()) + + // Login routes (no auth required) + groupAdmin.GET("/login", h.ShowLoginPage) + groupAdmin.POST("/login", h.HandleLogin) + + // Logout route (no auth required - handles its own session check) + groupAdmin.GET("/logout", h.HandleLogout) + + // Protected admin routes (require authentication) if authAdmin { - groupAdmin.Use(middleware.BasicAuth(h.AuthenticateAdmin)) + groupAdmin.Use(h.SessionAuthMiddleware()) } + // Main admin pages groupAdmin.GET("/", h.ListHosts) + groupAdmin.GET("/hosts", h.ListHosts) groupAdmin.GET("/hosts/add", h.AddHost) groupAdmin.GET("/hosts/edit/:id", h.EditHost) - groupAdmin.GET("/hosts", h.ListHosts) - groupAdmin.GET("/cnames/add", h.AddCName) - groupAdmin.GET("/cnames", h.ListCNames) - groupAdmin.GET("/logs", h.ShowLogs) - groupAdmin.GET("/logs/host/:id", h.ShowHostLogs) - - // Rest Routes groupAdmin.POST("/hosts/add", h.CreateHost) groupAdmin.POST("/hosts/edit/:id", h.UpdateHost) groupAdmin.GET("/hosts/delete/:id", h.DeleteHost) - //redirect to logout - groupAdmin.GET("/logout", func(c echo.Context) error { - // either custom url - if len(h.LogoutUrl) > 0 { - return c.Redirect(302, h.LogoutUrl) - } - // or standard url - return c.Redirect(302, "../") - }) + + // CName routes + groupAdmin.GET("/cnames", h.ListCNames) + groupAdmin.GET("/cnames/add", h.AddCName) groupAdmin.POST("/cnames/add", h.CreateCName) groupAdmin.GET("/cnames/delete/:id", h.DeleteCName) - // dyndns compatible api - // (avoid breaking changes and create groups for each update endpoint) + // Log routes + groupAdmin.GET("/logs", h.ShowLogs) + groupAdmin.GET("/logs/host/:id", h.ShowHostLogs) + + // Security management routes + if authAdmin { + groupAdmin.GET("/security", h.ShowSecurityDashboard) + groupAdmin.GET("/security/blocked-ips", h.ShowBlockedIPs) + groupAdmin.GET("/security/failed-auths", h.ShowFailedAuths) + groupAdmin.POST("/security/unblock/:ip", h.UnblockIPHandler) + } + + // DynDNS API endpoints (HTTP allowed, BasicAuth required) + // These endpoints are used by routers/NVRs and need BasicAuth updateRoute := e.Group("/update") - updateRoute.Use(middleware.BasicAuth(h.AuthenticateUpdate)) + updateRoute.Use(h.UpdateAuthMiddleware()) updateRoute.GET("", h.UpdateIP) + nicRoute := e.Group("/nic") - nicRoute.Use(middleware.BasicAuth(h.AuthenticateUpdate)) + nicRoute.Use(h.UpdateAuthMiddleware()) nicRoute.GET("/update", h.UpdateIP) + v2Route := e.Group("/v2") - v2Route.Use(middleware.BasicAuth(h.AuthenticateUpdate)) + v2Route.Use(h.UpdateAuthMiddleware()) v2Route.GET("/update", h.UpdateIP) + v3Route := e.Group("/v3") - v3Route.Use(middleware.BasicAuth(h.AuthenticateUpdate)) + v3Route.Use(h.UpdateAuthMiddleware()) v3Route.GET("/update", h.UpdateIP) - // health-check + // Health-check endpoint (no auth) e.GET("/ping", func(c echo.Context) error { u := &handler.Error{ Message: "OK", diff --git a/dyndns/model/cname.go b/dyndns/model/cname.go index 81e64b8..ec68aaa 100644 --- a/dyndns/model/cname.go +++ b/dyndns/model/cname.go @@ -7,7 +7,7 @@ import ( // CName is a dns cname entry. type CName struct { gorm.Model - Hostname string `gorm:"not null" form:"hostname" validate:"required,hostname"` + Hostname string `gorm:"not null" form:"hostname" validate:"required,min=1"` //Alow 1 character cnames Target Host `validate:"required"` TargetID uint Ttl int `form:"ttl" validate:"required,min=20,max=86400"` diff --git a/dyndns/model/failed_auth.go b/dyndns/model/failed_auth.go new file mode 100644 index 0000000..49265cb --- /dev/null +++ b/dyndns/model/failed_auth.go @@ -0,0 +1,40 @@ +package model + +import ( + "time" + + "gorm.io/gorm" +) + +// FailedAuth tracks failed authentication attempts +// WARNING: This includes password logging which is a security risk. +// Passwords should be handled carefully and never displayed without authorization. +type FailedAuth struct { + gorm.Model + IPAddress string `gorm:"index;not null"` + UserAgent string + Timestamp time.Time `gorm:"index"` + Path string // The path they tried to access + Username string // Username they attempted (if provided) + Password string // Password they attempted (SECURITY RISK - handle carefully) +} + +// BlockedIP represents an IP that has been blocked +type BlockedIP struct { + gorm.Model + IPAddress string `gorm:"uniqueIndex;not null"` + BlockedAt time.Time `gorm:"index"` + BlockedUntil time.Time `gorm:"index"` // For temporary blocks + FailureCount int + IsPermanent bool // Flag for permanent blocks + LastAttemptAt time.Time + Reason string +} + +// IsBlocked checks if a block is still active +func (b *BlockedIP) IsBlocked() bool { + if b.IsPermanent { + return true + } + return time.Now().Before(b.BlockedUntil) +} diff --git a/dyndns/model/host.go b/dyndns/model/host.go index 9a1d3a6..136220c 100644 --- a/dyndns/model/host.go +++ b/dyndns/model/host.go @@ -9,13 +9,13 @@ import ( // Host is a dns host entry. type Host struct { gorm.Model - Hostname string `gorm:"unique_index:idx_host_domain;not null" form:"hostname" validate:"required,hostname"` + Hostname string `gorm:"unique_index:idx_host_domain;not null" form:"hostname" validate:"required,min=1"` // Allow 1 character hostnames Domain string `gorm:"unique_index:idx_host_domain;not null" form:"domain" validate:"required,fqdn"` Ip string `form:"ip" validate:"omitempty,ipv4|ipv6"` Ttl int `form:"ttl" validate:"required,min=20,max=86400"` LastUpdate time.Time `form:"lastupdate"` - UserName string `gorm:"unique" form:"username" validate:"min=3"` - Password string `form:"password" validate:"min=8"` + UserName string `gorm:"not null" form:"username" validate:"min=1"` // Allow 1 character usernames + Password string `form:"password" validate:"min=6"` // Minimum 6 character passwords } // UpdateHost updates all fields of a host entry diff --git a/dyndns/nswrapper/ip.go b/dyndns/nswrapper/ip.go index 90fba50..4dd94c4 100644 --- a/dyndns/nswrapper/ip.go +++ b/dyndns/nswrapper/ip.go @@ -8,7 +8,7 @@ import ( "net/http" "strings" - "github.com/benjaminbear/docker-ddns-server/dyndns/ipparser" + "github.com/w3K-one/docker-ddns-server/dyndns/ipparser" ) // GetIPType finds out if the IP is IPv4 or IPv6 diff --git a/dyndns/static/css/narrow-jumbotron.css b/dyndns/static/css/narrow-jumbotron.css index f348bbe..501c079 100644 --- a/dyndns/static/css/narrow-jumbotron.css +++ b/dyndns/static/css/narrow-jumbotron.css @@ -76,4 +76,4 @@ body { .jumbotron { border-bottom: 0; } -} \ No newline at end of file +} diff --git a/dyndns/static/icons/dns.ico b/dyndns/static/icons/dns.ico new file mode 100644 index 0000000..3749d37 Binary files /dev/null and b/dyndns/static/icons/dns.ico differ diff --git a/dyndns/static/icons/eye.svg b/dyndns/static/icons/eye.svg new file mode 100644 index 0000000..b0d9e9c --- /dev/null +++ b/dyndns/static/icons/eye.svg @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/dyndns/static/icons/favicon.ico b/dyndns/static/icons/favicon.ico index 3749d37..3672f5b 100644 Binary files a/dyndns/static/icons/favicon.ico and b/dyndns/static/icons/favicon.ico differ diff --git a/dyndns/static/icons/logo.png b/dyndns/static/icons/logo.png new file mode 100644 index 0000000..545ec00 Binary files /dev/null and b/dyndns/static/icons/logo.png differ diff --git a/dyndns/static/js/actions-1.0.0.js b/dyndns/static/js/actions-1.0.0.js index 1331251..ee0fd3f 100644 --- a/dyndns/static/js/actions-1.0.0.js +++ b/dyndns/static/js/actions-1.0.0.js @@ -1,173 +1,144 @@ -$("button.addHost").click(function () { - location.href='/admin/hosts/add'; -}); - -$("button.editHost").click(function () { - location.href='/admin/hosts/edit/' + $(this).attr('id'); -}); +// Wrap ALL event handlers in document.ready to ensure DOM is loaded +$(document).ready(function(){ + + // ===== HOST BUTTONS ===== + $("button.addHost").click(function () { + location.href='/@/hosts/add'; + }); -$("button.deleteHost").click(function () { - $.ajax({ - contentType: 'application/x-www-form-urlencoded; charset=UTF-8', - type: 'GET', - url: "/admin/hosts/delete/" + $(this).attr('id') - }).done(function(data, textStatus, jqXHR) { - location.href="/admin/hosts"; - }).fail(function(jqXHR, textStatus, errorThrown) { - alert("Error: " + $.parseJSON(jqXHR.responseText).message); - location.reload() + $("button.editHost").click(function () { + location.href='/@/hosts/edit/' + $(this).attr('id'); }); -}); -$("button.showHostLog").click(function () { - location.href='/admin/logs/host/' + $(this).attr('id'); -}); + $("button.deleteHost").click(function () { + $.ajax({ + contentType: 'application/x-www-form-urlencoded; charset=UTF-8', + type: 'GET', + url: "/@/hosts/delete/" + $(this).attr('id') + }).done(function(data, textStatus, jqXHR) { + location.href="/@/hosts"; + }).fail(function(jqXHR, textStatus, errorThrown) { + alert("Error: " + $.parseJSON(jqXHR.responseText).message); + location.reload() + }); + }); -$("button.add, button.edit").click(function () { - let id = $(this).attr('id'); - if (id !== "") { - id = "/"+id - } + $("button.showHostLog").click(function () { + location.href='/@/logs/host/' + $(this).attr('id'); + }); - let action; - if ($(this).hasClass("add")) { - action = "add"; - } + // ===== CNAME BUTTONS ===== + $("button.addCName").click(function () { + location.href='/@/cnames/add'; + }); - if ($(this).hasClass("edit")) { - action = "edit"; - } + $("button.deleteCName").click(function () { + $.ajax({ + contentType: 'application/x-www-form-urlencoded; charset=UTF-8', + type: 'GET', + url: "/@/cnames/delete/" + $(this).attr('id') + }).done(function(data, textStatus, jqXHR) { + location.href="/@/cnames"; + }).fail(function(jqXHR, textStatus, errorThrown) { + alert("Error: " + $.parseJSON(jqXHR.responseText).message); + location.reload() + }); + }); - let type; - if ($(this).hasClass("host")) { - type = "hosts"; - } + // ===== ADD/EDIT FORM BUTTONS ===== + $("button.add, button.edit").click(function () { + let id = $(this).attr('id'); + if (id !== "") { + id = "/"+id + } - if ($(this).hasClass("cname")) { - type = "cnames"; - } + let action; + if ($(this).hasClass("add")) { + action = "add"; + } - $('#domain').prop('disabled', false); - - $.ajax({ - contentType: 'application/x-www-form-urlencoded; charset=UTF-8', - data: $('#editHostForm').serialize(), - type: 'POST', - url: '/admin/'+type+'/'+action+id, - }).done(function(data, textStatus, jqXHR) { - location.href="/admin/"+type; - }).fail(function(jqXHR, textStatus, errorThrown) { - alert("Error: " + $.parseJSON(jqXHR.responseText).message); - }); + if ($(this).hasClass("edit")) { + action = "edit"; + } - return false; -}); + let type; + if ($(this).hasClass("host")) { + type = "hosts"; + } -$("#logout").click(function (){ - //document.execCommand("ClearAuthenticationCache"); - try { - // This is for Firefox - $.ajax({ - // This can be any path on your same domain which requires HTTPAuth - url: "", - username: 'reset', - password: 'reset', - // If the return is 401, refresh the page to request new details. - statusCode: { 401: function() { - // document.location = document.location; - } - } - }); - } catch (exception) { - // Firefox throws an exception since we didn't handle anything but a 401 above - // This line works only in IE - if (!document.execCommand("ClearAuthenticationCache")) { - // exeCommand returns false if it didn't work (which happens in Chrome) so as a last - // resort refresh the page providing new, invalid details. - // document.location = location.protocol+"//reset:reset@" + document.location.hostname + document.location.pathname; - } + if ($(this).hasClass("cname")) { + type = "cnames"; } - console.log("first logout") -}); -$("button.addCName").click(function () { - location.href='/admin/cnames/add'; -}); + $('#domain').prop('disabled', false); -$("button.deleteCName").click(function () { - $.ajax({ - contentType: 'application/x-www-form-urlencoded; charset=UTF-8', - type: 'GET', - url: "/admin/cnames/delete/" + $(this).attr('id') - }).done(function(data, textStatus, jqXHR) { - location.href="/admin/cnames"; - }).fail(function(jqXHR, textStatus, errorThrown) { - alert("Error: " + $.parseJSON(jqXHR.responseText).message); - location.reload() - }); -}); + $.ajax({ + contentType: 'application/x-www-form-urlencoded; charset=UTF-8', + data: $('#editHostForm').serialize(), + type: 'POST', + url: '/@/'+type+'/'+action+id, + }).done(function(data, textStatus, jqXHR) { + location.href="/@/"+type; + }).fail(function(jqXHR, textStatus, errorThrown) { + alert("Error: " + $.parseJSON(jqXHR.responseText).message); + }); -function newTargetSelected() { - var sel = document.getElementById("target_id"); - var x = sel.options[sel.selectedIndex].label.replace(sel.options[sel.selectedIndex].text, ''); - document.getElementById("domain_mirror").value = x; -} + return false; + }); -$("button.copyToClipboard").click(function () { - let id; - if ($(this).hasClass('username')) { - id = "username"; - } else if ($(this).hasClass('password')) { - id = "password"; - } + // ===== LOGOUT BUTTON ===== + $("#logout").click(function (){ + // Note: The old HTTP Basic Auth logout code is commented out since we use sessions now + // The logout link goes to /@/logout which handles session destruction + console.log("Logout clicked - redirecting to /@/logout"); + }); - let copyText = document.getElementById(id); - copyText.select(); - copyText.setSelectionRange(0, 99999); - document.execCommand("copy"); -}); -$("button.copyUrlToClipboard").click(function () { - let id = $(this).attr('id'); - let hostname = document.getElementById('host-hostname_'+id).innerHTML - let domain = document.getElementById('host-domain_'+id).innerHTML - let username = document.getElementById('host-username_'+id).innerHTML - let password = document.getElementById('host-password_'+id).innerHTML - let out = location.protocol + '//' +username.trim()+':'+password.trim()+'@'+ domain - out +='/update?hostname='+hostname - - let dummy = document.createElement("textarea"); - document.body.appendChild(dummy); - dummy.value = out; - dummy.select(); - document.execCommand("copy"); - document.body.removeChild(dummy); -}); + // ===== CLIPBOARD BUTTONS ===== + $("button.copyToClipboard").click(function () { + let id; + if ($(this).hasClass('username')) { + id = "username"; + } else if ($(this).hasClass('password')) { + id = "password"; + } -function randomHash() { - let chars = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; - var passwordLength = 16; - var password = ""; - for (var i = 0; i <= passwordLength; i++) { - var randomNumber = Math.floor(Math.random() * chars.length); - password += chars.substring(randomNumber, randomNumber +1); - } + let copyText = document.getElementById(id); + copyText.select(); + copyText.setSelectionRange(0, 99999); + document.execCommand("copy"); + }); - return password; -} + $("button.copyUrlToClipboard").click(function () { + let id = $(this).attr('id'); + let hostname = document.getElementById('host-hostname_'+id).innerHTML + let domain = document.getElementById('host-domain_'+id).innerHTML + let username = document.getElementById('host-username_'+id).innerHTML + let password = document.getElementById('host-password_'+id).innerHTML + let out = location.protocol + '//' +username.trim()+':'+password.trim()+'@'+ domain + out +='/update?hostname='+hostname + + let dummy = document.createElement("textarea"); + document.body.appendChild(dummy); + dummy.value = out; + dummy.select(); + document.execCommand("copy"); + document.body.removeChild(dummy); + }); -$("button.generateHash").click(function () { - let id; - if ($(this).hasClass('username')) { - id = "username"; - } else if ($(this).hasClass('password')) { - id = "password"; - } + // ===== GENERATE HASH BUTTONS ===== + $("button.generateHash").click(function () { + let id; + if ($(this).hasClass('username')) { + id = "username"; + } else if ($(this).hasClass('password')) { + id = "password"; + } - let input = document.getElementById(id); - input.value = randomHash(); -}); + let input = document.getElementById(id); + input.value = randomHash(); + }); -$(document).ready(function(){ + // ===== TOOLTIPS ===== $(".errorTooltip").tooltip({ track: true, content: function () { @@ -175,9 +146,28 @@ $(document).ready(function(){ } }); + // ===== NAVIGATION HIGHLIGHTING ===== urlPath = new URL(window.location.href).pathname.split("/")[2]; if (urlPath === "") { urlPath = "hosts" } document.getElementsByClassName("nav-"+urlPath)[0].classList.add("active"); }); + +// ===== UTILITY FUNCTIONS (outside document.ready is OK) ===== +function newTargetSelected() { + var sel = document.getElementById("target_id"); + var x = sel.options[sel.selectedIndex].label.replace(sel.options[sel.selectedIndex].text, ''); + document.getElementById("domain_mirror").value = x; +} + +function randomHash() { + let chars = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; + var passwordLength = 16; + var password = ""; + for (var i = 0; i <= passwordLength; i++) { + var randomNumber = Math.floor(Math.random() * chars.length); + password += chars.substring(randomNumber, randomNumber +1); + } + return password; +} diff --git a/dyndns/views/blocked_ips.html b/dyndns/views/blocked_ips.html new file mode 100644 index 0000000..ac3ec00 --- /dev/null +++ b/dyndns/views/blocked_ips.html @@ -0,0 +1,98 @@ +{{define "content"}} +
+

Blocked IP Addresses

+ +
+ ← Back to Security Dashboard +
+ + + + + + + + + + + + + + + + {{range .blockedIPs}} + + + + + + + + + + + {{end}} + +
IP AddressBlocked AtBlocked UntilLast AttemptFailure CountReasonStatusActions
{{.IPAddress}}{{.BlockedAt.Format "01/02/2006 15:04"}}{{if .IsPermanent}} + Permanent + {{else}} + {{.BlockedUntil.Format "01/02/2006 15:04"}} + {{end}}{{.LastAttemptAt.Format "01/02/2006 15:04"}}{{.FailureCount}}{{.Reason}} + {{if .IsBlocked}} + Active + {{else}} + Expired + {{end}} + + {{if .IsBlocked}} + + {{else}} + N/A + {{end}} +
+ + {{if not .blockedIPs}} + + {{end}} +
+ + +{{end}} diff --git a/dyndns/views/failed_auths.html b/dyndns/views/failed_auths.html new file mode 100644 index 0000000..407ced5 --- /dev/null +++ b/dyndns/views/failed_auths.html @@ -0,0 +1,362 @@ +{{define "content"}} +
+

Failed Authentication Attempts

+ +
+ ← Back to Security Dashboard +
+ + + + + + + + + + + + + + + + + + + + {{range $index, $auth := .failedAuths}} + {{$isAPI := not (hasPrefix $auth.Path "/@/")}} + {{$rowClass := ""}} + {{if $isAPI}} + {{if eq (mod $index 2) 0}} + {{$rowClass = "table-warning"}} + {{else}} + {{$rowClass = "table-warning-light"}} + {{end}} + {{end}} + + + + + + + + + {{end}} + +
TimestampIP AddressUsernamePassword AttemptedPathUser Agent
{{$auth.Timestamp.Format "01/02/2006 15:04:05"}}{{$auth.IPAddress}}{{if $auth.Username}}{{$auth.Username}}{{else}}no credentials{{end}} + {{if $auth.Password}} +
+ +
+ {{$auth.Password}} +
+
+ {{else}} + no password + {{end}} + 		+ {{$auth.Path}} + {{if hasPrefix $auth.Path "/@/"}} + Admin + {{else}} + API + {{end}} + + {{if $auth.UserAgent}} + {{$ua := $auth.UserAgent}} + {{if gt (len $ua) 10}} +
+ +
+ {{$ua}} +
+
+ {{else}} + {{$ua}} + {{end}} + {{else}} + none + {{end}} +
+ + {{if not .failedAuths}} + + {{end}} + + +
+ + +{{end}} diff --git a/dyndns/views/layouts/master.html b/dyndns/views/layouts/master.html index 8b84234..4aaecec 100644 --- a/dyndns/views/layouts/master.html +++ b/dyndns/views/layouts/master.html @@ -8,6 +8,16 @@ {{.title}} + + + + + + + + + @@ -17,6 +27,42 @@ + @@ -27,40 +73,38 @@ -

{{.title}}

+ + {{ if .logoPath }} + + {{ else }} +

{{.title}}

+ {{ end }} {{template "content" .}} - - - - - - - - - \ No newline at end of file diff --git a/dyndns/views/listhosts.html b/dyndns/views/listhosts.html index 7aaa62e..f2ebf2a 100644 --- a/dyndns/views/listhosts.html +++ b/dyndns/views/listhosts.html @@ -51,4 +51,12 @@

DNS Host Entries

-{{end}} \ No newline at end of file + +{{ if .migrationReport }} +
+ Database Migration Report: +

The following legacy entries were automatically converted to lowercase. You can copy this for your records.

+ +
+{{ end }} +{{end}} diff --git a/dyndns/views/login.html b/dyndns/views/login.html new file mode 100644 index 0000000..ba19e3f --- /dev/null +++ b/dyndns/views/login.html @@ -0,0 +1,211 @@ +{{define "content"}} + + + + + +{{end}} diff --git a/dyndns/views/logout.html b/dyndns/views/logout.html new file mode 100644 index 0000000..08b9bcc --- /dev/null +++ b/dyndns/views/logout.html @@ -0,0 +1,202 @@ +{{define "content"}} + + +
+
+ {{if .logoPath}} + + {{end}} + +
πŸ‘‹
+

Logged Out Successfully

+

Your session has been ended and you have been securely logged out.

+ + {{if .logoutUrl}} +
+

Redirecting in 7 seconds...

+

+ to: {{.logoutUrl}} +

+ +
+ {{end}} + + +
+
+ + +{{end}} diff --git a/dyndns/views/security_dashboard.html b/dyndns/views/security_dashboard.html new file mode 100644 index 0000000..99e69e8 --- /dev/null +++ b/dyndns/views/security_dashboard.html @@ -0,0 +1,433 @@ +{{define "content"}} +
+

Security Dashboard

+ + +
+
+
+
Active Blocks
+
+

{{.activeBlocks}}

+

IP addresses currently blocked

+
+
+
+
+
+
Failed Attempts
+
+

{{len .failedAuths}}

+

Recent failed login attempts

+
+
+
+
+
+
Total Blocks
+
+

{{len .blockedIPs}}

+

Total IP blocks (active + expired)

+
+
+
+
+ + +

Recently Blocked IPs

+ + + + + + + + + + + + + {{range .blockedIPs}} + {{if .IsBlocked}} + + + + + + + + + {{end}} + {{end}} + +
IP AddressBlocked AtBlocked UntilFailuresStatusActions
{{.IPAddress}}{{.BlockedAt.Format "01/02/2006 15:04"}}{{if .IsPermanent}}Permanent{{else}}{{.BlockedUntil.Format "01/02/2006 15:04"}}{{end}}{{.FailureCount}}Active + +
+ + +

Recent Failed Authentication Attempts

+ + + + + + + + + + + + + + + + + + {{range $index, $auth := .failedAuths}} + {{$isAPI := not (hasPrefix $auth.Path "/@/")}} + {{$rowClass := ""}} + {{if $isAPI}} + {{if eq (mod $index 2) 0}} + {{$rowClass = "table-warning"}} + {{else}} + {{$rowClass = "table-warning-light"}} + {{end}} + {{end}} + + + + + + + + + {{end}} + +
TimestampIP AddressUsernamePasswordPathUser Agent
{{$auth.Timestamp.Format "01/02/2006 15:04:05"}}{{$auth.IPAddress}}{{if $auth.Username}}{{$auth.Username}}{{else}}none{{end}} + {{if $auth.Password}} +
+ +
+ {{$auth.Password}} +
+
+ {{else}} + none + {{end}} + 		+ {{$auth.Path}} + {{if hasPrefix $auth.Path "/@/"}} + Admin + {{else}} + API + {{end}} + + {{if $auth.UserAgent}} + {{$ua := $auth.UserAgent}} + {{if gt (len $ua) 10}} +
+ +
+ {{$ua}} +
+
+ {{else}} + {{$ua}} + {{end}} + {{else}} + none + {{end}} +
+ +
+ View All Blocked IPs + View All Failed Attempts +
+
+ + +{{end}} diff --git a/img/addcname.png b/img/addcname.png new file mode 100644 index 0000000..e9c6a35 Binary files /dev/null and b/img/addcname.png differ diff --git a/img/addhost.png b/img/addhost.png index 6be4740..9b93bf5 100644 Binary files a/img/addhost.png and b/img/addhost.png differ diff --git a/img/listcnames.png b/img/listcnames.png new file mode 100644 index 0000000..c64230f Binary files /dev/null and b/img/listcnames.png differ diff --git a/img/listhosts.png b/img/listhosts.png index 3bb0331..7a91c81 100644 Binary files a/img/listhosts.png and b/img/listhosts.png differ diff --git a/img/listlogs.png b/img/listlogs.png index 9e75903..95dc64a 100644 Binary files a/img/listlogs.png and b/img/listlogs.png differ diff --git a/img/login.png b/img/login.png new file mode 100644 index 0000000..2ae370c Binary files /dev/null and b/img/login.png differ diff --git a/img/logout.png b/img/logout.png new file mode 100644 index 0000000..064c2c5 Binary files /dev/null and b/img/logout.png differ diff --git a/img/security.png b/img/security.png new file mode 100644 index 0000000..7e5690d Binary files /dev/null and b/img/security.png differ