From 43c3ee2a7e5bf2d204c084126e79a1b26fa0eea2 Mon Sep 17 00:00:00 2001
From: Mygod <contact-git@mygod.be>
Date: Wed, 17 Jan 2024 16:28:00 -0500
Subject: [PATCH] Improve performance for ACL

This also in some sense mitigates DoS attacks by flooding servers with a lot of denied hostnames, which could lead to overloading the DNS services.
---
 forwardproxy.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/forwardproxy.go b/forwardproxy.go
index 218f2050..bf90cc66 100644
--- a/forwardproxy.go
+++ b/forwardproxy.go
@@ -487,6 +487,18 @@ func (h Handler) dialContextCheckACL(ctx context.Context, network, hostPort stri
 			fmt.Errorf("port %s is not allowed", port))
 	}
 
+match:
+	for _, rule := range h.aclRules {
+		if _, ok := rule.(*aclDomainRule); ok {
+			switch rule.tryMatch(nil, host) {
+			case aclDecisionDeny:
+				return nil, caddyhttp.Error(http.StatusForbidden, fmt.Errorf("disallowed host %s", host))
+			case aclDecisionAllow:
+				break match
+			}
+		}
+	}
+
 	// in case IP was provided, net.LookupIP will simply return it
 	IPs, err := net.LookupIP(host)
 	if err != nil {