admin/deploy-felhom-compose
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: geo-restriction via Cloudflare WAF custom rules

Browse Source 
Add country-based access control managed through the Settings page.
Global allow-list with per-app overrides, searchable country selector,
automatic sync to Cloudflare WAF on settings change / deploy / remove,
plus periodic 6-hour verification.

New package: internal/cloudflare/ (client, zone, waf, countries, geosync)
New API: /api/geo/* (6 endpoints) + /api/stacks/{name}/geo/override

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
authentik Default Admin
2026-02-25 11:58:22 +01:00
parent 4c5d430b1a
commit e1fb85240b
15 changed files with 2091 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
controller/internal/web/templates/settings.html
+339
View File
@@ -376,6 +376,345 @@ function pollUntilBack() {
</details>
</div>
<!-- Section: Geo-Restriction -->
<div class="settings-card">
<h3>Földrajzi korlátozás</h3>
<p class="settings-card-desc">
Ország alapján korlátozható a webes alkalmazások elérése a Cloudflare WAF segítségével.
<br><span class="form-hint">A helyi hálózati hozzáférés mindig engedélyezett (nem halad át a Cloudflare-en).</span>
</p>
{{if not .CFConfigured}}
<div class="alert alert-info">
A Cloudflare API token nincs konfigurálva. Kérd az üzemeltetőt a beállításhoz.<br>
<small>A tokennek <strong>Zone WAF:Edit</strong> jogosultsággal kell rendelkeznie.</small>
</div>
{{else}}
<div id="geo-status-msg"></div>
<label class="toggle" style="margin-bottom:1rem">
<input type="checkbox" id="geo-enabled" {{if .GeoEnabled}}checked{{end}}
onchange="toggleGeo(this.checked)">
<span class="toggle-label">Geo-korlátozás aktív</span>
</label>
<div id="geo-details" {{if not .GeoEnabled}}style="display:none"{{end}}>
<!-- Global allowed countries -->
<div class="form-group">
<label>Engedélyezett országok (globális)</label>
<div class="geo-country-selector" id="geo-countries">
<input type="text" id="geo-search" class="form-control"
placeholder="Ország keresése..."
autocomplete="off"
oninput="filterCountries(this.value)"
onfocus="showCountryList()"
onblur="setTimeout(function(){hideCountryList()},200)">
<div class="geo-country-list" id="geo-country-list"></div>
</div>
<div class="geo-selected-tags" id="geo-selected-tags"></div>
<span class="form-hint">Csak a kiválasztott országokból érhető el a rendszer.</span>
</div>
<!-- Per-app overrides -->
<div class="form-group" style="margin-top:1.5rem">
<label>Alkalmazás-specifikus felülírások</label>
<div id="geo-app-overrides"></div>
{{if .DeployedApps}}
<div style="margin-top:.5rem;display:flex;align-items:center;gap:.5rem">
<select id="geo-add-app-select" class="form-control" style="max-width:250px">
<option value="">— Alkalmazás kiválasztása —</option>
{{range .DeployedApps}}
<option value="{{.Name}}">{{.Display}}</option>
{{end}}
</select>
<button class="btn btn-sm btn-outline" onclick="addAppOverride()">+ Hozzáadás</button>
</div>
{{end}}
</div>
<!-- Sync status & save -->
<div class="form-group" style="margin-top:1.5rem">
<div style="display:flex;align-items:center;gap:1rem;flex-wrap:wrap">
<button class="btn btn-primary" id="btn-geo-save" onclick="saveGeoSettings()">
Mentés és szinkronizálás
</button>
<button class="btn btn-sm btn-outline" onclick="triggerGeoSync()">Kézi szinkronizálás</button>
<span id="geo-sync-status" class="form-hint">
{{if .GeoLastSync}}Utolsó szinkronizálás: {{.GeoLastSync}}{{end}}
{{if .GeoLastError}} <span class="state-text-red">{{.GeoLastError}}</span>{{end}}
</span>
</div>
</div>
</div>
{{end}}
</div>
<script>
(function(){
// Geo-restriction UI state
var allCountries = [];
var selectedCountries = {{json .GeoAllowedCountries}};
var appOverrides = {{json .GeoAppOverrides}};
// Load countries list on first use
function ensureCountries(cb) {
if (allCountries.length > 0) { cb(); return; }
fetch('/api/geo/countries', {headers: csrfHeaders()})
.then(function(r){return r.json()})
.then(function(d){
if (d.ok) allCountries = d.data;
cb();
})
.catch(function(){ cb(); });
}
window.toggleGeo = function(enabled) {
document.getElementById('geo-details').style.display = enabled ? '' : 'none';
if (enabled) ensureCountries(renderTags);
};
window.showCountryList = function() {
ensureCountries(function(){ filterCountries(document.getElementById('geo-search').value); });
};
window.hideCountryList = function() {
document.getElementById('geo-country-list').style.display = 'none';
};
window.filterCountries = function(query) {
var list = document.getElementById('geo-country-list');
var q = query.toLowerCase();
var html = '';
var count = 0;
for (var i = 0; i < allCountries.length && count < 15; i++) {
var c = allCountries[i];
if (selectedCountries.indexOf(c.code) >= 0) continue;
if (q && c.name.toLowerCase().indexOf(q) < 0 && c.code.toLowerCase().indexOf(q) < 0) continue;
html += '<div class="geo-country-option" onmousedown="addCountry(\'' + c.code + '\',\'' + escHtml(c.name) + '\')">'
+ escHtml(c.name) + ' <small>(' + c.code + ')</small></div>';
count++;
}
list.innerHTML = html || '<div class="geo-country-option" style="opacity:.5">Nincs találat</div>';
list.style.display = count > 0 || q ? '' : 'none';
};
window.addCountry = function(code, name) {
if (selectedCountries.indexOf(code) >= 0) return;
selectedCountries.push(code);
renderTags();
document.getElementById('geo-search').value = '';
hideCountryList();
};
window.removeCountry = function(code) {
if (code === 'HU') {
if (!confirm('Figyelem: Magyarország eltávolítása azt jelenti, hogy magyar IP-ről sem lesz elérhető a rendszer távolról. Biztosan folytatja?')) return;
}
selectedCountries = selectedCountries.filter(function(c){return c !== code});
renderTags();
};
function renderTags() {
var el = document.getElementById('geo-selected-tags');
var html = '';
for (var i = 0; i < selectedCountries.length; i++) {
var code = selectedCountries[i];
var name = countryName(code);
var isHU = code === 'HU' ? ' geo-tag-hu' : '';
html += '<span class="geo-tag' + isHU + '">'
+ escHtml(name) + ' (' + code + ') '
+ '<span class="geo-tag-remove" onclick="removeCountry(\'' + code + '\')">&times;</span>'
+ '</span>';
}
el.innerHTML = html;
renderAppOverrides();
}
function countryName(code) {
for (var i = 0; i < allCountries.length; i++) {
if (allCountries[i].code === code) return allCountries[i].name;
}
return code;
}
// --- Per-app overrides ---
window.addAppOverride = function() {
var sel = document.getElementById('geo-add-app-select');
var appName = sel.value;
if (!appName) return;
if (!appOverrides) appOverrides = {};
if (appOverrides[appName]) { sel.value = ''; return; }
// Default: same countries as global
appOverrides[appName] = {allowed_countries: selectedCountries.slice()};
sel.value = '';
renderAppOverrides();
};
window.removeAppOverride = function(appName) {
delete appOverrides[appName];
renderAppOverrides();
};
window.toggleAppCountry = function(appName, code, el) {
var ov = appOverrides[appName];
if (!ov) return;
var idx = ov.allowed_countries.indexOf(code);
if (idx >= 0) {
if (code === 'HU' && !confirm('Magyarország eltávolítása nem ajánlott. Folytatja?')) {
el.checked = true;
return;
}
ov.allowed_countries.splice(idx, 1);
} else {
ov.allowed_countries.push(code);
}
};
function renderAppOverrides() {
var el = document.getElementById('geo-app-overrides');
if (!appOverrides || Object.keys(appOverrides).length === 0) {
el.innerHTML = '<p class="form-hint">Nincs alkalmazás-specifikus beállítás. Minden alkalmazás a globális beállítást követi.</p>';
return;
}
var html = '';
for (var appName in appOverrides) {
var ov = appOverrides[appName];
var displayName = appName;
// Try to find display name from select
var opts = document.getElementById('geo-add-app-select');
if (opts) {
for (var j = 0; j < opts.options.length; j++) {
if (opts.options[j].value === appName) { displayName = opts.options[j].text; break; }
}
}
html += '<div class="geo-app-override-row">';
html += '<strong>' + escHtml(displayName) + '</strong>';
html += '<div class="geo-selected-tags" style="flex:1;margin:0 .5rem">';
for (var i = 0; i < ov.allowed_countries.length; i++) {
var code = ov.allowed_countries[i];
html += '<span class="geo-tag geo-tag-sm">' + code + '</span>';
}
html += '</div>';
html += '<button class="btn btn-sm btn-outline" onclick="editAppOverride(\'' + appName + '\')">Szerkesztés</button>';
html += '<button class="btn btn-sm btn-danger-outline" onclick="removeAppOverride(\'' + appName + '\')">Törlés</button>';
html += '</div>';
}
el.innerHTML = html;
}
window.editAppOverride = function(appName) {
var ov = appOverrides[appName];
if (!ov) return;
ensureCountries(function(){
var checked = {};
for (var i = 0; i < ov.allowed_countries.length; i++) checked[ov.allowed_countries[i]] = true;
var html = '<div class="geo-edit-overlay" id="geo-edit-' + appName + '">';
html += '<h4>Engedélyezett országok: ' + escHtml(appName) + '</h4>';
html += '<div class="geo-edit-grid">';
for (var i = 0; i < allCountries.length; i++) {
var c = allCountries[i];
html += '<label class="geo-edit-item"><input type="checkbox" value="' + c.code + '"'
+ (checked[c.code] ? ' checked' : '') + ' onchange="toggleAppCountry(\'' + appName + '\',\'' + c.code + '\',this)">'
+ ' ' + escHtml(c.name) + ' (' + c.code + ')</label>';
}
html += '</div>';
html += '<button class="btn btn-sm btn-primary" style="margin-top:.5rem" onclick="closeAppEdit(\'' + appName + '\')">Kész</button>';
html += '</div>';
document.getElementById('geo-app-overrides').innerHTML += html;
});
};
window.closeAppEdit = function(appName) {
var el = document.getElementById('geo-edit-' + appName);
if (el) el.remove();
renderAppOverrides();
};
// --- Save & Sync ---
window.saveGeoSettings = function() {
var btn = document.getElementById('btn-geo-save');
var status = document.getElementById('geo-status-msg');
btn.disabled = true;
btn.textContent = 'Mentés...';
var payload = {
enabled: document.getElementById('geo-enabled').checked,
allowed_countries: selectedCountries
};
fetch('/api/geo/settings', {
method: 'POST',
headers: Object.assign({'Content-Type': 'application/json'}, csrfHeaders()),
body: JSON.stringify(payload)
})
.then(function(r){return r.json()})
.then(function(d){
if (d.ok) {
status.innerHTML = '<div class="alert alert-info">' + (d.message || 'Mentve') + '</div>';
// Save per-app overrides
if (appOverrides && Object.keys(appOverrides).length > 0) {
saveAllAppOverrides();
}
} else {
status.innerHTML = '<div class="alert alert-error">' + (d.error || 'Hiba') + '</div>';
}
})
.catch(function(err){
status.innerHTML = '<div class="alert alert-error">Hálózati hiba</div>';
})
.finally(function(){
btn.disabled = false;
btn.textContent = 'Mentés és szinkronizálás';
setTimeout(function(){ status.innerHTML = ''; }, 8000);
});
};
function saveAllAppOverrides() {
for (var appName in appOverrides) {
(function(name, ov){
fetch('/api/stacks/' + name + '/geo/override', {
method: 'POST',
headers: Object.assign({'Content-Type': 'application/json'}, csrfHeaders()),
body: JSON.stringify({allowed_countries: ov.allowed_countries})
});
})(appName, appOverrides[appName]);
}
}
window.triggerGeoSync = function() {
fetch('/api/geo/sync', {method:'POST', headers: csrfHeaders()})
.then(function(r){return r.json()})
.then(function(d){
var status = document.getElementById('geo-sync-status');
status.textContent = d.ok ? 'Szinkronizálás elindítva...' : (d.error || 'Hiba');
setTimeout(function(){
fetch('/api/geo/status', {headers: csrfHeaders()})
.then(function(r){return r.json()})
.then(function(d){
if (d.ok && d.data) {
var sync = d.data.last_sync || '';
var err = d.data.last_sync_error || '';
status.innerHTML = sync ? ('Utolsó: ' + sync.substring(0,19).replace('T',' ')) : '';
if (err) status.innerHTML += ' <span class="state-text-red">' + escHtml(err) + '</span>';
}
});
}, 5000);
});
};
function escHtml(s) {
var d = document.createElement('div');
d.textContent = s;
return d.innerHTML;
}
// Initialize on load
if (document.getElementById('geo-enabled') && document.getElementById('geo-enabled').checked) {
ensureCountries(renderTags);
}
})();
</script>
<!-- Section B: Password Change -->
<div class="settings-card">
<h3>Jelszó módosítás</h3>