diff --git a/src/app/Http/Kernel.php b/src/app/Http/Kernel.php --- a/src/app/Http/Kernel.php +++ b/src/app/Http/Kernel.php @@ -71,6 +71,7 @@ 'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class, 'scopes' => \Laravel\Passport\Http\Middleware\CheckScopes::class, 'scope' => \Laravel\Passport\Http\Middleware\CheckForAnyScope::class, + 'allowedHosts' => \App\Http\Middleware\AllowedHosts::class, ]; /** diff --git a/src/app/Http/Middleware/AllowedHosts.php b/src/app/Http/Middleware/AllowedHosts.php new file mode 100644 --- /dev/null +++ b/src/app/Http/Middleware/AllowedHosts.php @@ -0,0 +1,26 @@ +getHost(), $allowedDomains)) { + return abort(404); + } + return $next($request); + } +} diff --git a/src/config/app.php b/src/config/app.php --- a/src/config/app.php +++ b/src/config/app.php @@ -85,10 +85,17 @@ 'website_domain' => env('APP_WEBSITE_DOMAIN', env('APP_DOMAIN', 'domain.tld')), - 'services_domain' => env( - 'APP_SERVICES_DOMAIN', - "services." . env('APP_WEBSITE_DOMAIN', env('APP_DOMAIN', 'domain.tld')) - ), + // Restrict over which domains the services paths can be accessed. + 'services_allowed_domains' => explode(',', env( + 'APP_SERVICES_ALLOWED_DOMAINS', + "webapp,kolab," . env( + 'APP_SERVICES_DOMAIN', + "services." . env( + 'APP_WEBSITE_DOMAIN', + env('APP_DOMAIN', 'domain.tld') + ) + ) + )), /* |-------------------------------------------------------------------------- diff --git a/src/routes/api.php b/src/routes/api.php --- a/src/routes/api.php +++ b/src/routes/api.php @@ -207,7 +207,7 @@ if (\config('app.with_services')) { Route::group( [ - 'domain' => \config('app.services_domain'), + 'middleware' => ['allowedHosts'], 'prefix' => 'webhooks' ], function () {