feat: add LogDirWhiteList option

Author: 0xJacky

.gitignore

@@ -11,3 +11,4 @@ nginx-ui
 resources/development/nginx
 app/.env
 app/.status_hash
+casdoor.pub

api/nginx/nginx_log.go

@@ -2,9 +2,13 @@ package nginx
 
 import (
 	"encoding/json"
+	"fmt"
 	"github.com/0xJacky/Nginx-UI/api"
+	"github.com/0xJacky/Nginx-UI/internal/cache"
+	"github.com/0xJacky/Nginx-UI/internal/helper"
 	"github.com/0xJacky/Nginx-UI/internal/logger"
 	"github.com/0xJacky/Nginx-UI/internal/nginx"
+	"github.com/0xJacky/Nginx-UI/settings"
 	"github.com/gin-gonic/gin"
 	"github.com/gorilla/websocket"
 	"github.com/hpcloud/tail"
@@ -30,6 +34,7 @@ type controlStruct struct {
 type nginxLogPageResp struct {
 	Content string `json:"content"`
 	Page    int64  `json:"page"`
+	Error   string `json:"error,omitempty"`
 }
 
 func GetNginxLogPage(c *gin.Context) {
@@ -46,28 +51,37 @@ func GetNginxLogPage(c *gin.Context) {
 	logPath, err := getLogPath(&control)
 
 	if err != nil {
+		c.JSON(http.StatusInternalServerError, nginxLogPageResp{
+			Error: err.Error(),
+		})
 		logger.Error(err)
 		return
 	}
 
 	logFileStat, err := os.Stat(logPath)
 
 	if err != nil {
-		c.JSON(http.StatusOK, nginxLogPageResp{})
+		c.JSON(http.StatusInternalServerError, nginxLogPageResp{
+			Error: err.Error(),
+		})
 		logger.Error(err)
 		return
 	}
 
 	if !logFileStat.Mode().IsRegular() {
-		c.JSON(http.StatusOK, nginxLogPageResp{})
+		c.JSON(http.StatusInternalServerError, nginxLogPageResp{
+			Error: "log file is not regular file",
+		})
 		logger.Error("log file is not regular file:", logPath)
 		return
 	}
 
 	f, err := os.Open(logPath)
 
 	if err != nil {
-		c.JSON(http.StatusOK, nginxLogPageResp{})
+		c.JSON(http.StatusInternalServerError, nginxLogPageResp{
+			Error: err.Error(),
+		})
 		logger.Error(err)
 		return
 	}
@@ -90,15 +104,19 @@ func GetNginxLogPage(c *gin.Context) {
 	// seek
 	_, err = f.Seek(offset, io.SeekStart)
 	if err != nil && err != io.EOF {
-		c.JSON(http.StatusOK, nginxLogPageResp{})
+		c.JSON(http.StatusInternalServerError, nginxLogPageResp{
+			Error: err.Error(),
+		})
 		logger.Error(err)
 		return
 	}
 
 	n, err := f.Read(buf)
 
 	if err != nil && err != io.EOF {
-		c.JSON(http.StatusOK, nginxLogPageResp{})
+		c.JSON(http.StatusInternalServerError, nginxLogPageResp{
+			Error: err.Error(),
+		})
 		logger.Error(err)
 		return
 	}
@@ -109,7 +127,30 @@ func GetNginxLogPage(c *gin.Context) {
 	})
 }
 
+// isLogPathUnderWhiteList checks if the log path is under one of the paths in LogDirWhiteList
+func isLogPathUnderWhiteList(path string) bool {
+	cacheKey := fmt.Sprintf("isLogPathUnderWhiteList:%s", path)
+	res, ok := cache.Get(cacheKey)
+	// no cache, check it
+	if !ok {
+		for _, whitePath := range settings.NginxSettings.LogDirWhiteList {
+			if helper.IsUnderDirectory(path, whitePath) {
+				cache.Set(cacheKey, true, 0)
+				return true
+			}
+		}
+		return false
+	}
+	return res.(bool)
+}
+
 func getLogPath(control *controlStruct) (logPath string, err error) {
+	if len(settings.NginxSettings.LogDirWhiteList) == 0 {
+		err = errors.New("The settings.NginxSettings.LogDirWhiteList has not been configured. " +
+			"For security reasons, please configure a whitelist of log directories. " +
+			"Please visit https://nginxui.com/guide/config-nginx.html for more information.")
+		return
+	}
 	switch control.Type {
 	case "site":
 		var config *nginx.NgxConfig
@@ -172,6 +213,11 @@ func getLogPath(control *controlStruct) (logPath string, err error) {
 		logPath = path
 	}
 
+	// check if logPath is under one of the paths in LogDirWhiteList
+	if !isLogPathUnderWhiteList(logPath) {
+		err = errors.New("The log path is not under the paths in LogDirWhiteList.")
+		return "", err
+	}
 	return
 }
 

app/src/views/nginx_log/NginxLog.vue

@@ -59,6 +59,9 @@ function init() {
   nginx_log.page(0, control).then(r => {
     page.value = r.page - 1
     addLog(r.content)
+    openWs()
+  }).catch(e => {
+    addLog(e.error)
   })
 }
 
@@ -68,11 +71,10 @@ function clearLog() {
 
 onMounted(() => {
   init()
-  openWs()
 })
 
 onUnmounted(() => {
-  websocket.close()
+  websocket?.close()
 })
 
 watch(auto_refresh, value => {

casdoor.pub

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE3TCCAsWgAwIBAgIDAeJAMA0GCSqGSIb3DQEBCwUAMCgxDjAMBgNVBAoTBWFk
+bWluMRYwFAYDVQQDEw1jZXJ0LWJ1aWx0LWluMB4XDTI0MDcyOTAzMDUzM1oXDTQ0
+MDcyOTAzMDUzM1owKDEOMAwGA1UEChMFYWRtaW4xFjAUBgNVBAMTDWNlcnQtYnVp
+bHQtaW4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDh0c2zvM21NDNi
+xZmSQVPOtckiH/K80mHQ99e+xzdGrZugaw00tyTOMVRot+Bv1cggcJXmFcVaa9Da
+siIcIQ6jT3w7mINsrErYu4nz9tELd4BZUM6tytN+khVqo73p/NbRsnmX8ykMyrgx
+YCBknNoSxh7glLSmKcj4uQ12dYakRPr0QNnDwU7fpPfB7N4O88yXWpbqWaABwqBx
+S6+tYUp9Wx74mH8c917w5xXx8EI5eC+dJOAeVXrbzqD7OdC+uo8m7f06HAX1vRE/
+MQS0BDx8tDGtqOvdJbVxdnS6MQ2E3vmuusFseDcKVgqTF/7b76y5uNyBBux5zfpt
+G1O3bquMlQ8mSedK8BBcbI79gXYJRWazMBXvAdacaV93dF1s0EEjYXiBManAci2d
+lH8zzs4TNpE0t3adYiPbGPW1F6Q+HaV52MDVpFwG9Ld0kJmKhkvoWiSXl58Db3VN
+Ef8Jjo2xF+5o9685CQ2o9L0RalcHxMxy1+6wdKMSp7PReYpIiEgmkAhUsKePOVmr
+JwL46/4EulcXrh+ASjobmknHzdBQEK+MHapb/XWewX4mzq777gPmP8RdILTHsc1m
+/hbR8uW9iTfo9LQFvXwnIPVfX0wzFXSZzSg/zLb2tN5D7VlDenUAdCDT1zNOfz5m
+9vLYwfo5GzXIkp2py0G40vrZlv7C9wIDAQABoxAwDjAMBgNVHRMBAf8EAjAAMA0G
+CSqGSIb3DQEBCwUAA4ICAQBp1Bx+mShpumQiVb2hv0amSzAKADyYIX3Xcef68rPu
+Eb+7HSCmQf4yyI9eU1TyvQCLbjum3U3OhDWwAiRvxOwj0oO/Q+dOUEZxTjbL9UF3
+4LIrUUBMRhRgy3wK73qy3o8hAcRtQyexUW7eoFS+7L++6XQOvMkYAtLO0DQCHeKG
+loiQa5RuWbzQDdP7810DLvNF8IMA8t9KKaKGybYze9WTzRUMTDbXby8pVs8DG7JI
+zIW6neEmtsVbxufk/nthG1b83/yZxe0StL42xI7f4xgguhkfd68E4lpf/gp91EAM
+K6MbTmCqkB68c0wOSXpWYkte7EvXTTmMSKf6FnMgOtqdxqYYMknLk4ZdI7tMqS31
+rpb9XxjBgXFbB18oOSDbW64KPMjE7vuOx+o32BTHKsUWxOiDc8+0ELrbhG2Bm1Gj
+CYkx9bq5iTLDwtZZlPoA8O/T0TJzBTtC/tlEdpHSkkLoEaWsx0nT9ipRWck1Kj59
+NGJkArbrpq9Ee8tWJKqTN/pv0X8r+MxowIY2dKvwweokXb7R6k9nfXyGw8ji22Hv
+H4iibv9FEyVFQ16HPR6fIKg9yE9u0223UhJZEwohA4DylCxpmI/YSXbUmzQJwjBP
+27qvT4Y07xsdNqIbkwhb5yEQB5huivITD+SBwI5NwDfUeY6eF/BEHpRq+Uy3itx0
+SA==
+-----END CERTIFICATE-----

docs/guide/config-nginx.md

@@ -33,6 +33,20 @@ In Nginx UI v2, we parse the output of the `nginx -V` command to get the default
 If you need to set a different path, you can use this option.
 :::
 
+### LogDirWhiteList
+
+- Type: `[]string`
+- Version：`>= v2.0.0-beta.36`
+- Example: `/var/log/nginx,/var/log/sites`
+
+This option is used to set the whitelist of directories for the Nginx logs viewer in Nginx UI.
+
+::: warning Warning
+For security reasons, you must specify the directories where the logs are stored. 
+
+Only logs within these directories can be viewed online.
+:::
+
 ## Service Monitoring and Control
 
 In this section, we will introduce configuration options in Nginx UI for monitoring and controlling Nginx services.

docs/package.json

@@ -7,11 +7,11 @@
     "docs:preview": "vitepress preview"
   },
   "dependencies": {
-    "vitepress": "^1.3.4",
+    "vitepress": "^1.4.0",
     "vue": "^3.5.11"
   },
   "devDependencies": {
-    "@types/node": "^22.7.4",
+    "@types/node": "^22.7.5",
     "less": "^4.2.0"
   },
   "license": "AGPL-3.0",