Add option to redirect blocked request to a configured URL

Author: PascalMinder

geoblock.go

@@ -54,6 +54,7 @@ type Config struct {
 	AddCountryHeader             bool     `yaml:"addCountryHeader"`
 	HTTPStatusCodeDeniedRequest  int      `yaml:"httpStatusCodeDeniedRequest"`
 	LogFilePath                  string   `yaml:"logFilePath"`
+	RedirectURLIfDenied          string   `yaml:"redirectUrlIfDenied"`
 }
 
 type ipEntry struct {
@@ -91,6 +92,7 @@ type GeoBlock struct {
 	httpStatusCodeDeniedRequest  int
 	database                     *lru.LRUCache
 	logFile                      *os.File
+	redirectURLIfDenied          string
 	name                         string
 }
 
@@ -174,6 +176,7 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 		addCountryHeader:             config.AddCountryHeader,
 		httpStatusCodeDeniedRequest:  config.HTTPStatusCodeDeniedRequest,
 		logFile:                      logFile,
+		redirectURLIfDenied:          config.RedirectURLIfDenied,
 		name:                         name,
 	}, nil
 }
@@ -194,8 +197,14 @@ func (a *GeoBlock) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 
 	for _, requestIPAddress := range requestIPAddresses {
 		if !a.allowDenyIPAddress(requestIPAddress, req) {
-			rw.WriteHeader(a.httpStatusCodeDeniedRequest)
-			a.next.ServeHTTP(rw, req)
+			if len(a.redirectURLIfDenied) != 0 {
+				rw.Header().Set("Location", a.redirectURLIfDenied)
+				rw.WriteHeader(http.StatusMovedPermanently)
+				a.next.ServeHTTP(rw, req)
+			} else {
+				rw.WriteHeader(a.httpStatusCodeDeniedRequest)
+				a.next.ServeHTTP(rw, req)
+			}
 		}
 	}
 
@@ -553,6 +562,9 @@ func printConfiguration(config *Config, logger *log.Logger) {
 	logger.Printf("countries: %v", config.Countries)
 	logger.Printf("Denied request status code: %d", config.HTTPStatusCodeDeniedRequest)
 	logger.Printf("Log file path: %s", config.LogFilePath)
+	if len(config.RedirectURLIfDenied) != 0 {
+		logger.Printf("Redirect URL on denied requests: %s", config.RedirectURLIfDenied)
+	}
 }
 
 func initializeLogFile(logFilePath string, logger *log.Logger) (*os.File, error) {

geoblock_test.go

@@ -406,6 +406,35 @@ func TestDeniedCountry(t *testing.T) {
 	assertStatusCode(t, recorder.Result(), http.StatusForbidden)
 }
 
+func TestDeniedCountryWithRedirect(t *testing.T) {
+	cfg := createTesterConfig()
+	cfg.Countries = append(cfg.Countries, "CH")
+	cfg.RedirectURLIfDenied = "https://google.com"
+
+	ctx := context.Background()
+	next := http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {})
+
+	handler, err := geoblock.New(ctx, next, cfg, "GeoBlock")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	recorder := httptest.NewRecorder()
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req.Header.Add(xForwardedFor, caExampleIP)
+
+	handler.ServeHTTP(recorder, req)
+
+	result := recorder.Result()
+	assertStatusCode(t, result, http.StatusMovedPermanently)
+	assertResponseHeader(t, result, "Location", cfg.RedirectURLIfDenied)
+}
+
 func TestCustomDeniedRequestStatusCode(t *testing.T) {
 	cfg := createTesterConfig()
 	cfg.Countries = append(cfg.Countries, "CH")
@@ -860,7 +889,7 @@ func TestCountryHeader(t *testing.T) {
 
 	handler.ServeHTTP(recorder, req)
 
-	assertHeader(t, req, CountryHeader, "CA")
+	assertRequestHeader(t, req, CountryHeader, "CA")
 }
 
 func TestIpGeolocationHttpField(t *testing.T) {
@@ -891,7 +920,7 @@ func TestIpGeolocationHttpField(t *testing.T) {
 
 	handler.ServeHTTP(recorder, req)
 
-	assertHeader(t, req, CountryHeader, "CA")
+	assertRequestHeader(t, req, CountryHeader, "CA")
 	assertStatusCode(t, recorder.Result(), http.StatusOK)
 }
 
@@ -987,14 +1016,22 @@ func assertStatusCode(t *testing.T, req *http.Response, expected int) {
 	}
 }
 
-func assertHeader(t *testing.T, req *http.Request, key string, expected string) {
+func assertRequestHeader(t *testing.T, req *http.Request, key string, expected string) {
 	t.Helper()
 
 	if received := req.Header.Get(key); received != expected {
 		t.Errorf("header value mismatch: %s: %s <> %s", key, expected, received)
 	}
 }
 
+func assertResponseHeader(t *testing.T, response *http.Response, key string, expected string) {
+	t.Helper()
+
+	if received := response.Header.Get(key); received != expected {
+		t.Errorf("header value mismatch: %s: %s <> %s", key, expected, received)
+	}
+}
+
 type CountryCodeHandler struct {
 	ResponseCountryCode string
 }

readme.md

@@ -518,3 +518,11 @@ Allows customizing the HTTP status code returned if the request was denied.
 ### Define a custom log file `logFilePath`
 
 Allows to define a target for the logs of the middleware. The path must look like the following: `logFilePath: "/log/geoblock.log"`. Make sure the folder is writeable.
+
+### Define a custom log file `XForwardedForReverseProxy`
+
+Basically tells GeoBlock to only allow/deny a request based on the first IP address in the X-ForwardedFor HTTP header. This is useful for servers behind e.g. a Cloudflare proxy.
+
+### Define a custom log file `redirectUrlIfDenied`
+
+Allows returning a HTTP 301 status code, which indicates that the requested resource has been moved. The URL which can be specified is used to redirect the client to. So instead of "blocking" the client, the client will be redirected to the configured URL.