Add denyHosts flag to deny URLs for certain hosts

For example, when running in a Docker swarm cluster we dont want it to have access to our internal services available under *.weave.local Closes #85
2026-06-21 11:08:06 +02:00 · 2017-03-23 10:42:39 +01:00 · 2017-03-23 10:42:39 +01:00 · 7264d177a1
commit 7264d177a1
parent 127a621c8a
3 changed files with 29 additions and 8 deletions
--- a/imageproxy.go
+++ b/imageproxy.go
@ -49,6 +49,10 @@ type Proxy struct {
 	// Whitelist should no longer be used. Use "AllowHosts" instead.
 	Whitelist []string

+	// DenyHosts specifies a list of remote hosts that images cannot be
+	// proxied from.
+	DenyHosts []string
+
 	// Referrers, when given, requires that requests to the image
 	// proxy come from a referring host. An empty list means all
 	// hosts are allowed.
@ -225,6 +229,10 @@ func (p *Proxy) allowed(r *Request) error {
 		return fmt.Errorf("request does not contain an allowed referrer: %v", r)
 	}

+	if validHost(p.DenyHosts, r.URL) {
+		return fmt.Errorf("request contains a denied host %v", r)
+	}
+
 	if len(p.AllowHosts) == 0 && len(p.SignatureKey) == 0 {
 		return nil // no allowed hosts or signature key, all requests accepted
 	}