✨ adiciona módulo de firewall para Caddy com listas de bloqueio e liberação baseadas em IPs; inclui configuração via arquivo TOML e suporte básico para Caddyfile; adiciona dependências necessárias no go.mod e go.sum para suporte ao módulo

Author: imakecodes

firewall.go

@@ -0,0 +1,78 @@
+package firewall
+
+import (
+	"net"
+	"net/http"
+
+	"github.com/BurntSushi/toml"
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
+)
+
+func init() {
+	caddy.RegisterModule(Firewall{})
+}
+
+type Firewall struct {
+	Allow []string `json:"allow,omitempty"`
+	Block []string `json:"block,omitempty"`
+}
+
+func (Firewall) CaddyModule() caddy.ModuleInfo {
+	return caddy.ModuleInfo{
+		ID:  "http.handlers.firewall",
+		New: func() caddy.Module { return new(Firewall) },
+	}
+}
+
+func (m *Firewall) Provision(ctx caddy.Context) error {
+	// carrega o arquivo firewall.toml
+	var conf struct {
+		Allow []string `toml:"allow"`
+		Block []string `toml:"block"`
+	}
+	if _, err := toml.DecodeFile("/etc/caddy/firewall.toml", &conf); err != nil {
+		return err
+	}
+	m.Allow = conf.Allow
+	m.Block = conf.Block
+	return nil
+}
+
+func (m Firewall) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyhttp.Handler) error {
+	clientIP, _, err := net.SplitHostPort(r.RemoteAddr)
+	if err != nil {
+		return err
+	}
+
+	// Bloqueio prioritário
+	for _, blocked := range m.Block {
+		if blocked == clientIP {
+			http.Error(w, "Forbidden", http.StatusForbidden)
+			return nil
+		}
+	}
+
+	// Liberação se listado
+	if len(m.Allow) > 0 {
+		allowed := false
+		for _, allowedIP := range m.Allow {
+			if allowedIP == clientIP {
+				allowed = true
+				break
+			}
+		}
+		if !allowed {
+			http.Error(w, "Forbidden", http.StatusForbidden)
+			return nil
+		}
+	}
+
+	// Se não está bloqueado, e não tem allow list, passa
+	return next.ServeHTTP(w, r)
+}
+
+// Para suporte a Caddyfile (opcional)
+func (m *Firewall) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
+	return nil
+}

go.mod

@@ -0,0 +1,48 @@
+module github.com/makecodes/caddy-simple-firewall
+
+go 1.24
+
+toolchain go1.24.2
+
+require (
+	github.com/BurntSushi/toml v1.5.0
+	github.com/caddyserver/caddy/v2 v2.10.0
+)
+
+require (
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/caddyserver/certmagic v0.23.0 // indirect
+	github.com/caddyserver/zerossl v0.1.3 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/francoispqt/gojay v1.2.13 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+	github.com/google/pprof v0.0.0-20231212022811-ec68065c825e // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
+	github.com/libdns/libdns v1.0.0-beta.1 // indirect
+	github.com/mholt/acmez/v3 v3.1.2 // indirect
+	github.com/miekg/dns v1.1.63 // indirect
+	github.com/onsi/ginkgo/v2 v2.13.2 // indirect
+	github.com/prometheus/client_golang v1.19.1 // indirect
+	github.com/prometheus/client_model v0.5.0 // indirect
+	github.com/prometheus/common v0.48.0 // indirect
+	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/quic-go/qpack v0.5.1 // indirect
+	github.com/quic-go/quic-go v0.50.1 // indirect
+	github.com/zeebo/blake3 v0.2.4 // indirect
+	go.uber.org/mock v0.5.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
+	go.uber.org/zap/exp v0.3.0 // indirect
+	golang.org/x/crypto v0.36.0 // indirect
+	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
+	golang.org/x/sync v0.12.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/term v0.30.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/time v0.11.0 // indirect
+	golang.org/x/tools v0.31.0 // indirect
+	google.golang.org/protobuf v1.35.1 // indirect
+)