admin/deploy-felhom-compose
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: geo-restriction via Cloudflare WAF custom rules

Browse Source 
Add country-based access control managed through the Settings page.
Global allow-list with per-app overrides, searchable country selector,
automatic sync to Cloudflare WAF on settings change / deploy / remove,
plus periodic 6-hour verification.

New package: internal/cloudflare/ (client, zone, waf, countries, geosync)
New API: /api/geo/* (6 endpoints) + /api/stacks/{name}/geo/override

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
authentik Default Admin
2026-02-25 11:58:22 +01:00
parent 4c5d430b1a
commit e1fb85240b
15 changed files with 2091 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
controller/internal/cloudflare/zone.go
+66
View File
@@ -0,0 +1,66 @@
package cloudflare
import (
"encoding/json"
"fmt"
"net/url"
)
// zone represents a Cloudflare zone (minimal fields).
type zone struct {
ID string `json:"id"`
Name string `json:"name"`
}
// GetZoneID resolves the Cloudflare zone ID for a domain.
// It tries the exact domain first, then strips subdomains progressively.
func (c *Client) GetZoneID(domain string) (string, error) {
// Try exact domain first (e.g., "demo-felhom.eu")
id, err := c.lookupZone(domain)
if err != nil {
return "", err
}
if id != "" {
return id, nil
}
// Try parent domains (e.g., "felhom.eu" from "demo.felhom.eu")
for i := 0; i < len(domain); i++ {
if domain[i] == '.' {
parent := domain[i+1:]
if parent == "" {
break
}
id, err = c.lookupZone(parent)
if err != nil {
return "", err
}
if id != "" {
return id, nil
}
}
}
return "", fmt.Errorf("no Cloudflare zone found for domain %q", domain)
}
// lookupZone queries the CF API for a zone by name.
func (c *Client) lookupZone(name string) (string, error) {
path := "/zones?name=" + url.QueryEscape(name) + "&status=active"
resp, err := c.do("GET", path, nil)
if err != nil {
return "", fmt.Errorf("lookup zone %q: %w", name, err)
}
var zones []zone
if err := json.Unmarshal(resp.Result, &zones); err != nil {
return "", fmt.Errorf("decode zones: %w", err)
}
if len(zones) == 0 {
return "", nil
}
c.logger.Printf("[CF] Resolved zone %q → %s", name, zones[0].ID)
return zones[0].ID, nil
}