From 02be81e69669fb6f2d69e852f58d6311635657c8 Mon Sep 17 00:00:00 2001
From: Mygod <contact-git@mygod.be>
Date: Thu, 18 Jul 2024 16:08:34 -0400
Subject: [PATCH] Improve performance for ACL (#113)

This also in some sense mitigates DoS attacks by flooding servers with a lot of denied hostnames, which could lead to overloading the DNS services.

Co-authored-by: Juan Calderon-Perez <835733+gaby@users.noreply.github.com>
---
 forwardproxy.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/forwardproxy.go b/forwardproxy.go
index b3d73e5..39ffe0a 100644
--- a/forwardproxy.go
+++ b/forwardproxy.go
@@ -486,6 +486,18 @@ func (h Handler) dialContextCheckACL(ctx context.Context, network, hostPort stri
 			fmt.Errorf("port %s is not allowed", port))
 	}
 
+match:
+	for _, rule := range h.aclRules {
+		if _, ok := rule.(*aclDomainRule); ok {
+			switch rule.tryMatch(nil, host) {
+			case aclDecisionDeny:
+				return nil, caddyhttp.Error(http.StatusForbidden, fmt.Errorf("disallowed host %s", host))
+			case aclDecisionAllow:
+				break match
+			}
+		}
+	}
+
 	// in case IP was provided, net.LookupIP will simply return it
 	IPs, err := net.LookupIP(host)
 	if err != nil {