feat: add external-controller-cors can config allow-origins and allow-private-network

hub/hub.go

@@ -59,6 +59,10 @@ func applyRoute(cfg *config.Config) {
 		PrivateKey:  cfg.TLS.PrivateKey,
 		DohServer:   cfg.Controller.ExternalDohServer,
 		IsDebug:     cfg.General.LogLevel == log.DEBUG,
+		Cors: route.Cors{
+			AllowOrigins:        cfg.Controller.Cors.AllowOrigins,
+			AllowPrivateNetwork: cfg.Controller.Cors.AllowPrivateNetwork,
+		},
 	})
 }
 

hub/route/server.go

@@ -23,10 +23,10 @@ import (
 
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
-	"github.com/go-chi/cors"
 	"github.com/go-chi/render"
 	"github.com/gobwas/ws"
 	"github.com/gobwas/ws/wsutil"
+	"github.com/sagernet/cors"
 )
 
 var (
@@ -58,6 +58,22 @@ type Config struct {
 	PrivateKey  string
 	DohServer   string
 	IsDebug     bool
+	Cors        Cors
+}
+
+type Cors struct {
+	AllowOrigins        []string
+	AllowPrivateNetwork bool
+}
+
+func (c Cors) Apply(r chi.Router) {
+	r.Use(cors.New(cors.Options{
+		AllowedOrigins:      c.AllowOrigins,
+		AllowedMethods:      []string{"GET", "POST", "PUT", "PATCH", "DELETE"},
+		AllowedHeaders:      []string{"Content-Type", "Authorization"},
+		AllowPrivateNetwork: c.AllowPrivateNetwork,
+		MaxAge:              300,
+	}).Handler)
 }
 
 func ReCreateServer(cfg *Config) {
@@ -73,16 +89,9 @@ func SetUIPath(path string) {
 	uiPath = C.Path.Resolve(path)
 }
 
-func router(isDebug bool, secret string, dohServer string) *chi.Mux {
+func router(isDebug bool, secret string, dohServer string, cors Cors) *chi.Mux {
 	r := chi.NewRouter()
-	corsM := cors.New(cors.Options{
-		AllowedOrigins: []string{"*"},
-		AllowedMethods: []string{"GET", "POST", "PUT", "PATCH", "DELETE"},
-		AllowedHeaders: []string{"Content-Type", "Authorization"},
-		MaxAge:         300,
-	})
-	r.Use(setPrivateNetworkAccess)
-	r.Use(corsM.Handler)
+	cors.Apply(r)
 	if isDebug {
 		r.Mount("/debug", func() http.Handler {
 			r := chi.NewRouter()
@@ -151,7 +160,7 @@ func start(cfg *Config) {
 		log.Infoln("RESTful API listening at: %s", l.Addr().String())
 
 		server := &http.Server{
-			Handler: router(cfg.IsDebug, cfg.Secret, cfg.DohServer),
+			Handler: router(cfg.IsDebug, cfg.Secret, cfg.DohServer, cfg.Cors),
 		}
 		httpServer = server
 		if err = server.Serve(l); err != nil {
@@ -183,7 +192,7 @@ func startTLS(cfg *Config) {
 
 		log.Infoln("RESTful API tls listening at: %s", l.Addr().String())
 		server := &http.Server{
-			Handler: router(cfg.IsDebug, cfg.Secret, cfg.DohServer),
+			Handler: router(cfg.IsDebug, cfg.Secret, cfg.DohServer, cfg.Cors),
 			TLSConfig: &tls.Config{
 				Certificates: []tls.Certificate{c},
 			},
@@ -232,7 +241,7 @@ func startUnix(cfg *Config) {
 		log.Infoln("RESTful API unix listening at: %s", l.Addr().String())
 
 		server := &http.Server{
-			Handler: router(cfg.IsDebug, "", cfg.DohServer),
+			Handler: router(cfg.IsDebug, "", cfg.DohServer, cfg.Cors),
 		}
 		unixServer = server
 		if err = server.Serve(l); err != nil {
@@ -263,7 +272,7 @@ func startPipe(cfg *Config) {
 		log.Infoln("RESTful API pipe listening at: %s", l.Addr().String())
 
 		server := &http.Server{
-			Handler: router(cfg.IsDebug, "", cfg.DohServer),
+			Handler: router(cfg.IsDebug, "", cfg.DohServer, cfg.Cors),
 		}
 		pipeServer = server
 		if err = server.Serve(l); err != nil {
@@ -272,15 +281,6 @@ func startPipe(cfg *Config) {
 	}
 }
 
-func setPrivateNetworkAccess(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method == http.MethodOptions && r.Header.Get("Access-Control-Request-Method") != "" {
-			w.Header().Add("Access-Control-Allow-Private-Network", "true")
-		}
-		next.ServeHTTP(w, r)
-	})
-}
-
 func safeEuqal(a, b string) bool {
 	aBuf := utils.ImmutableBytesFromString(a)
 	bBuf := utils.ImmutableBytesFromString(b)