check domains againts cloudflare ip range

2024-10-22 16:14:22 +02:00 · 2024-01-15 11:37:26 +01:00 · 2024-01-15 11:37:26 +01:00 · 75813a289c
commit 75813a289c
parent 48990db699
5 changed files with 33 additions and 13 deletions
--- a/bootstrap/helpers/shared.php
+++ b/bootstrap/helpers/shared.php
@ -1593,6 +1593,9 @@ function getRealtime()

 function validate_dns_entry(string $fqdn, Server $server)
 {
+    # https://www.cloudflare.com/ips-v4/#
+    $cloudflare_ips = collect(['173.245.48.0/20', '103.21.244.0/22', '103.22.200.0/22', '103.31.4.0/22', '141.101.64.0/18', '108.162.192.0/18', '190.93.240.0/20', '188.114.96.0/20', '197.234.240.0/22', '198.41.128.0/17', '162.158.0.0/15', '104.16.0.0/13', '172.64.0.0/13', '131.0.72.0/22']);
+
    $url = Url::fromString($fqdn);
    $host = $url->getHost();
    if (str($host)->contains('sslip.io')) {
@ -1603,29 +1606,34 @@ function validate_dns_entry(string $fqdn, Server $server)
    if (!$is_dns_validation_enabled) {
        return true;
    }
-    $dnsServers = data_get($settings, 'custom_dns_servers');
-    $dnsServers = str($dnsServers)->explode(',');
+    $dns_servers = data_get($settings, 'custom_dns_servers');
+    $dns_servers = str($dns_servers)->explode(',');
    if ($server->id === 0) {
        $ip = data_get($settings, 'public_ipv4') || data_get($settings, 'public_ipv6') || $server->ip;
    } else {
        $ip = $server->ip;
    }
-    $foundMatch = false;
+    $found_matching_ip = false;
    $type = \PurplePixie\PhpDns\DNSTypes::NAME_A;
-    foreach ($dnsServers as $dnsServer) {
+    foreach ($dns_servers as $dns_server) {
        try {
-            ray("Checking $host on $dnsServer");
-            $query = new DNSQuery($dnsServer);
+            ray("Checking $host on $dns_server");
+            $query = new DNSQuery($dns_server);
            $results = $query->query($host, $type);
            if ($results === false || $query->hasError()) {
                ray("Error: " . $query->getLasterror());
            } else {
                foreach ($results as $result) {
                    if ($result->getType() == $type) {
+                        if (ip_match($result->getData(), $cloudflare_ips->toArray(), $match)) {
+                            ray("Found match in Cloudflare IPs: $match");
+                            $found_matching_ip = true;
+                            break;
+                        }
                        if ($result->getData() === $ip) {
                            ray($host . " has IP address " . $result->getData());
                            ray($result->getString());
-                            $foundMatch = true;
+                            $found_matching_ip = true;
                            break;
                        }
                    }
@ -1634,6 +1642,18 @@ function validate_dns_entry(string $fqdn, Server $server)
        } catch (\Exception $e) {
        }
    }
-    ray("Found match: $foundMatch");
-    return $foundMatch;
+    ray("Found match: $found_matching_ip");
+    return $found_matching_ip;
+}
+
+function ip_match($ip, $cidrs, &$match = null)
+{
+    foreach ((array) $cidrs as $cidr) {
+        list($subnet, $mask) = explode('/', $cidr);
+        if (((ip2long($ip) & ($mask = ~((1 << (32 - $mask)) - 1))) == (ip2long($subnet) & $mask))) {
+            $match = $cidr;
+            return true;
+        }
+    }
+    return false;
 }
--- a/config/sentry.php
+++ b/config/sentry.php
@ -7,7 +7,7 @@

    // The release version of your application
    // Example with dynamic git hash: trim(exec('git --git-dir ' . base_path('.git') . ' log --pretty="%h" -n1 HEAD'))
-    'release' => '4.0.0-beta.191',
+    'release' => '4.0.0-beta.192',
    // When left empty or `null` the Laravel environment will be used
    'environment' => config('app.env'),

--- a/config/version.php
+++ b/config/version.php
@ -1,3 +1,3 @@
 <?php

-return '4.0.0-beta.191';
+return '4.0.0-beta.192';
--- a/resources/views/livewire/server/form.blade.php
+++ b/resources/views/livewire/server/form.blade.php
@ -52,7 +52,7 @@
            <div class="w-64">
                @if (!$server->isLocalhost())
                    <x-forms.checkbox instantSave
-                        helper="If you are using Cloudflare Tunnels, enable this. It will proxy all ssh requests to your server through Cloudflare.<span class='text-warning'>Coolify does not install/setup Cloudflare (cloudflared) on your server.</span>"
+                        helper="If you are using Cloudflare Tunnels, enable this. It will proxy all ssh requests to your server through Cloudflare.<br><span class='text-warning'>Coolify does not install/setup Cloudflare (cloudflared) on your server.</span>"
                        id="server.settings.is_cloudflare_tunnel" label="Cloudflare Tunnel" />
                    @if ($server->isSwarm())
                        <div class="pt-6"> Swarm support is in alpha version. </div>
--- a/versions.json
+++ b/versions.json
@ -4,7 +4,7 @@
            "version": "3.12.36"
        },
        "v4": {
-            "version": "4.0.0-beta.191"
+            "version": "4.0.0-beta.192"
        }
    }
 }