added allow_ping config option

config/README.md

@@ -16,6 +16,9 @@ log_debug: <bool> | default = false [optional]
 # Whether to ignore security warnings
 hack_me_please: <bool> | default = false [optional]
 
+# Allow ping server
+allow_ping: <bool> | default = false [optional]
+
 # Named list of cache configurations
 caches:
   - <cache_config> ...

config/config.go

@@ -78,6 +78,9 @@ type Config struct {
 
 	ConnectionPool ConnectionPool `yaml:"connection_pool,omitempty"`
 
+	// Allow to proxy ping requests
+	AllowPing bool `yaml:"allow_ping,omitempty"`
+
 	networkReg map[string]Networks
 
 	// Catches all undefined fields

config/examples/debug.yml

@@ -0,0 +1,52 @@
+log_debug: true
+hack_me_please: true
+allow_ping: true
+
+caches:
+  - name: "longterm"
+    mode: "file_system"
+    file_system:
+      dir: "/tmp/chproxy/longterm/cache"
+      max_size: 10Gb
+    expire: 1h
+    shared_with_all_users: true
+
+max_error_reason_size: 10GB
+
+server:
+  http:
+    listen_addr: ":80"
+    idle_timeout: 20m
+
+  https:
+    listen_addr: ":4433"
+    autocert:
+      cache_dir: "/tmp/chproxy/certs"
+  proxy:
+    enable: true
+    header: CF-Connecting-IP
+
+users:
+  - name: "*"
+    to_cluster: "dl"
+    to_user: "*"
+    is_wildcarded: true
+    max_concurrent_queries: 4
+    max_execution_time: 15m
+    deny_https: false
+    cache: "longterm"
+
+clusters:
+  - name: "dl"
+    scheme: "http"
+    nodes: ["localhost:28123"]
+    # heartbeat:
+    #   interval: 1m
+    #   timeout: 10s
+    #   request: "/?query=SELECT%201%2B1"
+    # q  response: "2\n"
+    kill_query_user:
+      name: "chproxy"
+      password: "chproxy"
+    users:
+      - name: "*"

main.go

@@ -35,6 +35,7 @@ var (
 	allowedNetworksHTTPS   atomic.Value
 	allowedNetworksMetrics atomic.Value
 	proxyHandler           atomic.Value
+	allowPing              atomic.Bool
 )
 
 func main() {
@@ -237,12 +238,41 @@ func serveHTTP(rw http.ResponseWriter, r *http.Request) {
 		}
 		proxy.refreshCacheMetrics()
 		promHandler.ServeHTTP(rw, r)
-	case "/", "/query", "/ping":
+	case "/", "/query":
 		var err error
 		// nolint:forcetypeassert // We will cover this by tests as we control what is stored.
 		proxyHandler := proxyHandler.Load().(*ProxyHandler)
 		r.RemoteAddr = proxyHandler.GetRemoteAddr(r)
 
+		var an *config.Networks
+		if r.TLS != nil {
+			// nolint:forcetypeassert // We will cover this by tests as we control what is stored.
+			an = allowedNetworksHTTPS.Load().(*config.Networks)
+			err = fmt.Errorf("https connections are not allowed from %s", r.RemoteAddr)
+		} else {
+			// nolint:forcetypeassert // We will cover this by tests as we control what is stored.
+			an = allowedNetworksHTTP.Load().(*config.Networks)
+			err = fmt.Errorf("http connections are not allowed from %s", r.RemoteAddr)
+		}
+		if !an.Contains(r.RemoteAddr) {
+			rw.Header().Set("Connection", "close")
+			respondWith(rw, err, http.StatusForbidden)
+			return
+		}
+		proxy.ServeHTTP(rw, r)
+	case "/ping":
+		var err error
+
+		if !allowPing.Load() {
+			err = fmt.Errorf("ping is not allowed")
+			respondWith(rw, err, http.StatusForbidden)
+			return
+		}
+
+		// nolint:forcetypeassert // We will cover this by tests as we control what is stored.
+		proxyHandler := proxyHandler.Load().(*ProxyHandler)
+		r.RemoteAddr = proxyHandler.GetRemoteAddr(r)
+
 		var an *config.Networks
 		if r.TLS != nil {
 			// nolint:forcetypeassert // We will cover this by tests as we control what is stored.
@@ -296,6 +326,7 @@ func applyConfig(cfg *config.Config) error {
 	allowedNetworksHTTPS.Store(&cfg.Server.HTTPS.AllowedNetworks)
 	allowedNetworksMetrics.Store(&cfg.Server.Metrics.AllowedNetworks)
 	proxyHandler.Store(NewProxyHandler(&cfg.Server.Proxy))
+	allowPing.Store(cfg.AllowPing)
 	log.SetDebug(cfg.LogDebug)
 	log.Infof("Loaded config:\n%s", cfg)