Use hostmatcher to replace matchlist, improve security (#17605)

Use hostmacher to replace matchlist.

And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.

modules/setting/migrations.go

@@ -4,17 +4,13 @@
 
 package setting
 
-import (
-	"strings"
-)
-
 var (
 	// Migrations settings
 	Migrations = struct {
 		MaxAttempts        int
 		RetryBackoff       int
-		AllowedDomains     []string
-		BlockedDomains     []string
+		AllowedDomains     string
+		BlockedDomains     string
 		AllowLocalNetworks bool
 		SkipTLSVerify      bool
 	}{
@@ -28,15 +24,8 @@ func newMigrationsService() {
 	Migrations.MaxAttempts = sec.Key("MAX_ATTEMPTS").MustInt(Migrations.MaxAttempts)
 	Migrations.RetryBackoff = sec.Key("RETRY_BACKOFF").MustInt(Migrations.RetryBackoff)
 
-	Migrations.AllowedDomains = sec.Key("ALLOWED_DOMAINS").Strings(",")
-	for i := range Migrations.AllowedDomains {
-		Migrations.AllowedDomains[i] = strings.ToLower(Migrations.AllowedDomains[i])
-	}
-	Migrations.BlockedDomains = sec.Key("BLOCKED_DOMAINS").Strings(",")
-	for i := range Migrations.BlockedDomains {
-		Migrations.BlockedDomains[i] = strings.ToLower(Migrations.BlockedDomains[i])
-	}
-
+	Migrations.AllowedDomains = sec.Key("ALLOWED_DOMAINS").MustString("")
+	Migrations.BlockedDomains = sec.Key("BLOCKED_DOMAINS").MustString("")
 	Migrations.AllowLocalNetworks = sec.Key("ALLOW_LOCALNETWORKS").MustBool(false)
 	Migrations.SkipTLSVerify = sec.Key("SKIP_TLS_VERIFY").MustBool(false)
 }