fix(ogtags): respect target host/SNI/insecure flags in OG passthrough (#1283)

2025-11-16 21:32:03 -05:00 · 2025-11-16 21:32:03 -05:00 · 1d91bc99f2
commit 1d91bc99f2
parent c70b939651
14 changed files with 440 additions and 84 deletions
--- a/lib/config.go
+++ b/lib/config.go
@ -27,27 +27,30 @@ import (
 )

 type Options struct {
-	Next                 http.Handler
-	Policy               *policy.ParsedConfig
-	Logger               *slog.Logger
-	OpenGraph            config.OpenGraph
-	PublicUrl            string
-	CookieDomain         string
-	JWTRestrictionHeader string
-	BasePrefix           string
-	WebmasterEmail       string
-	Target               string
-	RedirectDomains      []string
-	ED25519PrivateKey    ed25519.PrivateKey
-	HS512Secret          []byte
-	CookieExpiration     time.Duration
-	CookieSameSite       http.SameSite
-	ServeRobotsTXT       bool
-	CookieSecure         bool
-	StripBasePrefix      bool
-	CookiePartitioned    bool
-	CookieDynamicDomain  bool
-	DifficultyInJWT      bool
+	Next                     http.Handler
+	Policy                   *policy.ParsedConfig
+	Target                   string
+	TargetHost               string
+	TargetSNI                string
+	TargetInsecureSkipVerify bool
+	CookieDynamicDomain      bool
+	CookieDomain             string
+	CookieExpiration         time.Duration
+	CookiePartitioned        bool
+	BasePrefix               string
+	WebmasterEmail           string
+	RedirectDomains          []string
+	ED25519PrivateKey        ed25519.PrivateKey
+	HS512Secret              []byte
+	StripBasePrefix          bool
+	OpenGraph                config.OpenGraph
+	ServeRobotsTXT           bool
+	CookieSecure             bool
+	CookieSameSite           http.SameSite
+	Logger                   *slog.Logger
+	PublicUrl                string
+	JWTRestrictionHeader     string
+	DifficultyInJWT          bool
 }

 func LoadPoliciesOrDefault(ctx context.Context, fname string, defaultDifficulty int) (*policy.ParsedConfig, error) {
@ -116,9 +119,13 @@ func New(opts Options) (*Server, error) {
 		hs512Secret: opts.HS512Secret,
 		policy:      opts.Policy,
 		opts:        opts,
-		OGTags:      ogtags.NewOGTagCache(opts.Target, opts.Policy.OpenGraph, opts.Policy.Store),
-		store:       opts.Policy.Store,
-		logger:      opts.Logger,
+		OGTags: ogtags.NewOGTagCache(opts.Target, opts.Policy.OpenGraph, opts.Policy.Store, ogtags.TargetOptions{
+			Host:               opts.TargetHost,
+			SNI:                opts.TargetSNI,
+			InsecureSkipVerify: opts.TargetInsecureSkipVerify,
+		}),
+		store:  opts.Policy.Store,
+		logger: opts.Logger,
 	}

 	mux := http.NewServeMux()
--- a/lib/policy/config/config.go
+++ b/lib/policy/config/config.go
@ -62,11 +62,14 @@ type BotConfig struct {
 	Expression     *ExpressionOrList `json:"expression,omitempty" yaml:"expression,omitempty"`
 	Challenge      *ChallengeRules   `json:"challenge,omitempty" yaml:"challenge,omitempty"`
 	Weight         *Weight           `json:"weight,omitempty" yaml:"weight,omitempty"`
-	GeoIP          *GeoIP            `json:"geoip,omitempty"`
-	ASNs           *ASNs             `json:"asns,omitempty"`
-	Name           string            `json:"name" yaml:"name"`
-	Action         Rule              `json:"action" yaml:"action"`
-	RemoteAddr     []string          `json:"remote_addresses,omitempty" yaml:"remote_addresses,omitempty"`
+
+	// Thoth features
+	GeoIP *GeoIP `json:"geoip,omitempty"`
+	ASNs  *ASNs  `json:"asns,omitempty"`
+
+	Name       string   `json:"name" yaml:"name"`
+	Action     Rule     `json:"action" yaml:"action"`
+	RemoteAddr []string `json:"remote_addresses,omitempty" yaml:"remote_addresses,omitempty"`
 }

 func (b BotConfig) Zero() bool {