func (a *aclListener) Accept() (net.Conn, error) {
conn, err := a.ln.Accept()
if err != nil {
return nil, err
}
host, _, err := net.SplitHostPort(conn.RemoteAddr().String())
if err != nil {
return nil, fmt.Errorf("connection's remote address(%s) could not be split: %s", conn.RemoteAddr().String(), err)
}
// The probe connected, so close the connection and exit.
if a.acls.isProbe(host) {
log.Printf("TCP probe(%s) connection", host)
conn.Close()
return nil, ErrIsProbe
}
// Block anything that isn't in our ACL.
if err := a.acls.ipAuth(host); err != nil {
return nil, err
}
log.Println("accepting connection from: ", conn.RemoteAddr().String())
return conn, nil
}
aclListener implements a net.Listener and I was going to allow the TCP probe from this
health service, but nothing more (like seeing the TLS header).
However, it turns out erroring on an Accept() will cause the http.Server to stop.
Of course, if this code did work, the difference between the prober and
non-ACL connections is the same, they both can get the TCP socket before being denied.
Does anyone know if I can achieve this in my code without getting super hacky? I can see
some ways to that, but figured someone here might have done this in a simple way.
Cheers and thanks.