aws-cloudfront-functions/RequestControl.js at main · mitzi2funk/aws-cloudfront-functions · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
function handler(event) {
    var request = event.request;
    var headers = request.headers;
    var clientIP = event.viewer.ip;
    var host = headers.host.value;
    var uri = request.uri;
    var referer = (headers['referer']) ? headers.referer.value : '';
    var normalURL = `https://${host}`
    var maintenanceURI = '/maintenance'
    var maintenanceURL = `${normalURL}${maintenanceURI}`
    var errorURI = '/access-denied'
    var errorURL = `${normalURL}${errorURI}`
    var EXCLUDE_URI_LIST = [
        '/sorry/index.html',
        '/sorry/en/index.html',
        '/favicon.ico',
    ];
    // Set the White List for maintenance
    var IP_WHITE_LIST = [
        '192.168.0.1', // A
        '192.168.0.2', // B
        '192.168.0.3', // C
    ];
    // Set the White List for admin site
    var IP_WHITE_LIST_ADMIN = [
        '192.168.1.1', // A
        '192.168.1.2', // B
        '192.168.1.3', // C
    ];
    // echo -n user:pass | base64
    var authString_dev = "Basic ABCDEFG";
    var authString = "Basic ABCDEFG";
    var regexpSubDomain_dev = /dev.example.com|stg.example.com/g
    var regexpDomain = /example.com/g
    var regexpDomain_sub = /sub.example.com/g
    var regexpURL_referer = /https\:\/\/example.com|https\:\/\/stg.example.com|https\:\/\/dev.example.com/g
    var regexpUriAdmin = /\/admin\//g


    // [xx. Check excluded URIs]
    var resultCheckURI = EXCLUDE_URI_LIST.includes(uri)
    if (resultCheckURI) {
        console.log('Excluded URI');
        return request;
    }


    // [01. Maintenance Mode]
    // Set start and end time
    // (Ex) 2022/08/09 16:30:00 -> Date(2022, 8, 9, 16, 30, 0); [JST]
    var dateStart = new Date(2023, 1, 25, 22, 0, 0);
    var dateEnd = new Date(2023, 1, 26, 1, 0, 0);
    dateStart.setMonth(dateStart.getMonth() - 1);
    dateEnd.setMonth(dateEnd.getMonth() - 1);

    // Check the maintenance date and time
    var dateCurrent = new Date(Date.now());
    dateCurrent.setHours(dateCurrent.getHours() + 9);

    if (dateStart.getTime() <= dateCurrent.getTime() && dateCurrent.getTime() <= dateEnd.getTime()) {
        console.log('Under the maintenance');

        // [Check if it is included in the IP address list]
        var isPermittedIp = IP_WHITE_LIST.includes(clientIP);
        console.log(`Maintenance URL: ${maintenanceURL}`);

        if (isPermittedIp) {
            console.log('IP address check passed in maintenance mode');
        } else {
            console.log('Redirect to maintenance site');
            var response = {
                statusCode: 302,
                statusDescription: 'Found',
                headers: { "location": { "value": maintenanceURL } }
            }
            return response;
        }
    } else {
        console.log('Not under maintenance');
    }


    // [02. Admin site access control]
    if (regexpDomain.test(host) && regexpUriAdmin.test(uri)) {

        var isPermittedIpAdmin = IP_WHITE_LIST_ADMIN.includes(clientIP);

        if (isPermittedIpAdmin) {
            console.log('IP address check to admin site passed');
        } else {
            console.log('Redirect to error page by admin site access control');
            console.log(`error page: ${errorURL}`);
            var response = {
                statusCode: 302,
                statusDescription: 'Found',
                headers: { "location": { "value": errorURL } }
            }
            return response;
        }
    }


    // [03. sub-domain access control]
    if (regexpDomain_sub.test(host)) {
        if (referer && regexpURL_referer.test(referer)) {
            console.log('referer check to sub-domain passed');
            console.log(`referer: ${referer}`);
        } else if (referer && regexpDomain_sub.test(referer)) {
            console.log('referer check to sub-domain passed');
            console.log(`referer: ${referer}`);
        } else {
            console.log('Redirect to error page by sub-domain access control');
            console.log(`error page: ${errorURL}`);
            var response = {
                statusCode: 302,
                statusDescription: 'Found',
                headers: { "location": { "value": errorURL } }
            }
            return response;
        }
    }


    // [04. Basic Authentication]
    if (regexpSubDomain_dev.test(host) && !regexpDomain_sub.test(host)) {
        if (typeof headers.authorization === "undefined" || headers.authorization.value !== authString_dev) {
            return {
                statusCode: 401,
                statusDescription: "Unauthorized",
                headers: { "www-authenticate": { value: "Basic" } }
            };
        }
    } else if (regexpDomain.test(host) && !regexpDomain_sub.test(host)) {
        if (typeof headers.authorization === "undefined" || headers.authorization.value !== authString) {
            return {
                statusCode: 401,
                statusDescription: "Unauthorized",
                headers: { "www-authenticate": { value: "Basic" } }
            };
        }
    }


    // [05. Path Completion]
    // Check whether the URI is missing a file name.
    if (uri.endsWith('/')) {
        request.uri += 'index.html';
    }
    // Check whether the URI is missing a file extension.
    else if (!uri.includes('.')) {
        request.uri += '/index.html';
    }


    return request;

}