{ "setUDPMultipleMessagesVectorSize", true, "n", "set the size of the vector passed to recvmmsg() to receive UDP messages. Default to 1 which means that the feature is disabled and recvmsg() is used instead" },
{ "setUDPTimeout", true, "n", "set the maximum time dnsdist will wait for a response from a backend over UDP, in seconds" },
{ "setVerboseHealthChecks", true, "bool", "set whether health check errors will be logged" },
- { "setWebserverConfig", true, "[{password=string, apiKey=string, customHeaders}]", "Updates webserver configuration" },
+ { "setWebserverConfig", true, "[{password=string, apiKey=string, customHeaders, statsRequireAuthentication}]", "Updates webserver configuration" },
{ "setWeightedBalancingFactor", true, "factor", "Set the balancing factor for bounded-load weighted policies (whashed, wrandom)" },
{ "setWHashedPertubation", true, "value", "Set the hash perturbation value to be used in the whashed policy instead of a random one, allowing to have consistent whashed results on different instance" },
{ "show", true, "string", "outputs `string`" },
{ "TrailingDataRule", true, "", "Matches if the query has trailing data" },
{ "truncateTC", true, "bool", "if set (defaults to no starting with dnsdist 1.2.0) truncate TC=1 answers so they are actually empty. Fixes an issue for PowerDNS Authoritative Server 2.9.22. Note: turning this on breaks compatibility with RFC 6891." },
{ "unregisterDynBPFFilter", true, "DynBPFFilter", "unregister this dynamic BPF filter" },
- { "webserver", true, "address:port, password [, apiKey [, customHeaders ]])", "launch a webserver with stats on that address with that password" },
+ { "webserver", true, "address:port", "launch a webserver with stats on that address" },
{ "whashed", false, "", "Weighted hashed ('sticky') distribution over available servers, based on the server 'weight' parameter" },
{ "chashed", false, "", "Consistent hashed ('sticky') distribution over available servers, also based on the server 'weight' parameter" },
{ "wrandom", false, "", "Weighted random over available servers, based on the server 'weight' parameter" },
g_carbon.setState(ours);
});
- luaCtx.writeFunction("webserver", [client,configCheck](const std::string& address, const std::string& password, const boost::optional<std::string> apiKey, const boost::optional<std::map<std::string, std::string> > customHeaders, const boost::optional<std::string> acl) {
+ luaCtx.writeFunction("webserver", [client,configCheck](const std::string& address, const boost::optional<std::string> password, const boost::optional<std::string> apiKey, const boost::optional<std::map<std::string, std::string> > customHeaders, const boost::optional<std::string> acl) {
setLuaSideEffect();
ComboAddress local;
try {
return;
}
+ if (password || apiKey || customHeaders || acl) {
+ warnlog("Passing additional parameters to 'webserver()' is deprecated, please use 'setWebserverConfig()' instead.");
+ }
+
try {
int sock = SSocket(local.sin4.sin_family, SOCK_STREAM, 0);
SSetsockopt(sock, SOL_SOCKET, SO_REUSEADDR, 1);
SBind(sock, local);
SListen(sock, 5);
auto launch=[sock, local, password, apiKey, customHeaders, acl]() {
- setWebserverPassword(password);
- setWebserverAPIKey(apiKey);
- setWebserverCustomHeaders(customHeaders);
+ if (password) {
+ setWebserverPassword(*password);
+ }
+
+ if (apiKey) {
+ setWebserverAPIKey(apiKey);
+ }
+
+ if (customHeaders) {
+ setWebserverCustomHeaders(customHeaders);
+ }
+
if (acl) {
setWebserverACL(*acl);
}
launch();
}
}
- catch(std::exception& e) {
+ catch (const std::exception& e) {
g_outputBuffer="Unable to bind to webserver socket on " + local.toStringWithPort() + ": " + e.what();
errlog("Unable to bind to webserver socket on %s: %s", local.toStringWithPort(), e.what());
}
});
- typedef std::unordered_map<std::string, boost::variant<std::string, std::map<std::string, std::string>> > webserveropts_t;
+ typedef std::unordered_map<std::string, boost::variant<bool, std::string, std::map<std::string, std::string>> > webserveropts_t;
luaCtx.writeFunction("setWebserverConfig", [](boost::optional<webserveropts_t> vars) {
setLuaSideEffect();
if (!vars) {
return ;
}
- if(vars->count("password")) {
+
+ if (vars->count("password")) {
const std::string password = boost::get<std::string>(vars->at("password"));
setWebserverPassword(password);
}
- if(vars->count("apiKey")) {
+
+ if (vars->count("apiKey")) {
const std::string apiKey = boost::get<std::string>(vars->at("apiKey"));
setWebserverAPIKey(apiKey);
}
+
if (vars->count("acl")) {
const std::string acl = boost::get<std::string>(vars->at("acl"));
setWebserverACL(acl);
}
- if(vars->count("customHeaders")) {
+
+ if (vars->count("customHeaders")) {
const boost::optional<std::map<std::string, std::string> > headers = boost::get<std::map<std::string, std::string> >(vars->at("customHeaders"));
setWebserverCustomHeaders(headers);
}
+
+ if (vars->count("statsRequireAuthentication")) {
+ setWebserverStatsRequireAuthentication(boost::get<bool>(vars->at("statsRequireAuthentication")));
+ }
});
luaCtx.writeFunction("controlSocket", [client,configCheck](const std::string& str) {
#include "threadname.hh"
#include "sstuff.hh"
+struct WebserverConfig
+{
+ WebserverConfig()
+ {
+ acl.toMasks("127.0.0.1, ::1");
+ }
+
+ std::mutex lock;
+ NetmaskGroup acl;
+ std::string password;
+ std::string apiKey;
+ boost::optional<std::map<std::string, std::string> > customHeaders;
+ bool statsRequireAuthentication{true};
+};
+
bool g_apiReadWrite{false};
WebserverConfig g_webserverConfig;
std::string g_apiConfigDirectory;
return req.url.path == "/jsonstat" || req.url.path == "/metrics";
}
-static bool compareAuthorization(const YaHTTP::Request& req)
+static bool handleAuthorization(const YaHTTP::Request& req)
{
+ cerr<<"handling auth for "<<req.url.path<<endl;
std::lock_guard<std::mutex> lock(g_webserverConfig.lock);
+ if (isAStatsRequest(req)) {
+ if (g_webserverConfig.statsRequireAuthentication) {
+ /* Access to the stats is allowed for both API and Web users */
+ return checkAPIKey(req, g_webserverConfig.apiKey) || checkWebPassword(req, g_webserverConfig.password);
+ }
+ return true;
+ }
+
if (isAnAPIRequest(req)) {
/* Access to the API requires a valid API key */
if (checkAPIKey(req, g_webserverConfig.apiKey)) {
return isAnAPIRequestAllowedWithWebAuth(req) && checkWebPassword(req, g_webserverConfig.password);
}
- if (isAStatsRequest(req)) {
- /* Access to the stats is allowed for both API and Web users */
- return checkAPIKey(req, g_webserverConfig.apiKey) || checkWebPassword(req, g_webserverConfig.password);
- }
-
return checkWebPassword(req, g_webserverConfig.password);
}
handleCORS(req, resp);
resp.status = 200;
}
- else if (!compareAuthorization(req)) {
+ else if (!handleAuthorization(req)) {
YaHTTP::strstr_map_t::iterator header = req.headers.find("authorization");
if (header != req.headers.end()) {
errlog("HTTP Request \"%s\" from %s: Web Authentication failed", req.url.path, remote.toStringWithPort());
g_webserverConfig.customHeaders = customHeaders;
}
+void setWebserverStatsRequireAuthentication(bool require)
+{
+ std::lock_guard<std::mutex> lock(g_webserverConfig.lock);
+
+ g_webserverConfig.statsRequireAuthentication = require;
+}
+
void dnsdistWebserverThread(int sock, const ComboAddress& local)
{
setThreadName("dnsdist/webserv");
warnlog("Webserver launched on %s", local.toStringWithPort());
+ {
+ std::lock_guard<std::mutex> lock(g_webserverConfig.lock);
+ if (g_webserverConfig.password.empty()) {
+ warnlog("Webserver launched on %s without a password set!", local.toStringWithPort());
+ }
+ }
+
for(;;) {
try {
ComboAddress remote(local);
#pragma once
-struct WebserverConfig
-{
- WebserverConfig()
- {
- acl.toMasks("127.0.0.1, ::1");
- }
-
- NetmaskGroup acl;
- std::string password;
- std::string apiKey;
- boost::optional<std::map<std::string, std::string> > customHeaders;
- std::mutex lock;
-};
-
void setWebserverAPIKey(const boost::optional<std::string> apiKey);
void setWebserverPassword(const std::string& password);
void setWebserverACL(const std::string& acl);
void setWebserverCustomHeaders(const boost::optional<std::map<std::string, std::string> > customHeaders);
+void setWebserverStatsRequireAuthentication(bool);
void dnsdistWebserverThread(int sock, const ComboAddress& local);
Webserver configuration
~~~~~~~~~~~~~~~~~~~~~~~
-.. function:: webserver(listen_address, password[, apikey[, custom_headers[, acl]]])
+.. function:: webserver(listen_address [, password[, apikey[, custom_headers[, acl]]]])
.. versionchanged:: 1.5.0
``acl`` optional parameter added.
- Launch the :doc:`../guides/webserver` with statistics and the API.
+ .. versionchanged:: 1.6.0
+ The ``password`` parameter is now optional.
+ The use of optional parameters is now deprecated. Please use :func:`setWebserverConfig` instead.
+
+ Launch the :doc:`../guides/webserver` with statistics and the API. Note that the parameters are global, so the parameter from the last ``webserver`` will override any existing ones. For this reason
+ the use of :func:`setWebserverConfig` is advised instead of specifying optional parameters here.
:param str listen_address: The IP address and Port to listen on
:param str password: The password required to access the webserver
.. versionchanged:: 1.5.0
``acl`` optional parameter added.
+ .. versionchanged:: 1.6.0
+ ``statsRequireAuthentication`` optional parameter added.
+
Setup webserver configuration. See :func:`webserver`.
:param table options: A table with key: value pairs with webserver options.
* ``apiKey=newKey``: string - Changes the API Key (set to an empty string do disable it)
* ``custom_headers={[str]=str,...}``: map of string - Allows setting custom headers and removing the defaults.
* ``acl=newACL``: string - List of IP addresses, as a string, that are allowed to open a connection to the web server. Defaults to "127.0.0.1, ::1".
+ * ``statsRequireAuthentication``: bool - Whether access to the statistics (/metrics and /jsonstat endpoints) require a valid password or API key. Defaults to true.
.. function:: registerWebHandler(path, handler)
_config_template = """
setACL({"127.0.0.1/32", "::1/128"})
newServer{address="127.0.0.1:%s"}
- webserver("127.0.0.1:%s", "%s", "%s")
+ webserver("127.0.0.1:%s")
+ setWebserverConfig({password="%s", apiKey="%s"})
"""
def testBasicAuth(self):
setACL({"127.0.0.1/32", "::1/128"})
newServer{address="127.0.0.1:%s"}
getServer(0):setDown()
- webserver("127.0.0.1:%s", "%s", "%s")
+ webserver("127.0.0.1:%s")
+ setWebserverConfig({password="%s", apiKey="%s"})
"""
def testServerDownNoLatencyLocalhost(self):
_config_template = """
setACL({"127.0.0.1/32", "::1/128"})
newServer{address="127.0.0.1:%s"}
- webserver("127.0.0.1:%s", "%s", "%s")
+ webserver("127.0.0.1:%s")
+ setWebserverConfig({password="%s", apiKey="%s"})
setAPIWritable(true, "%s")
"""
controlSocket("127.0.0.1:%s")
setACL({"127.0.0.1/32", "::1/128"})
newServer({address="127.0.0.1:%s"})
- webserver("127.0.0.1:%s", "%s", "%s", {["X-Frame-Options"]="", ["X-Custom"]="custom"})
+ webserver("127.0.0.1:%s")
+ setWebserverConfig({password="%s", apiKey="%s", customHeaders={["X-Frame-Options"]="", ["X-Custom"]="custom"} })
"""
def testBasicHeaders(self):
self.assertEquals(r.headers.get('x-powered-by'), "dnsdist")
self.assertTrue("x-frame-options" in r.headers)
+class TestStatsWithoutAuthentication(DNSDistTest):
+
+ _webTimeout = 2.0
+ _webServerPort = 8083
+ _webServerBasicAuthPassword = 'secret'
+ _webServerAPIKey = 'apisecret'
+ # paths accessible using the API key only
+ _apiOnlyPath = '/api/v1/servers/localhost/config'
+ # paths accessible using basic auth only (list not exhaustive)
+ _basicOnlyPath = '/'
+ _noAuthenticationPaths = [ '/metrics', '/jsonstat?command=dynblocklist' ]
+ _consoleKey = DNSDistTest.generateConsoleKey()
+ _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
+ _config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
+ _config_template = """
+ setKey("%s")
+ controlSocket("127.0.0.1:%s")
+ setACL({"127.0.0.1/32", "::1/128"})
+ newServer({address="127.0.0.1:%s"})
+ webserver("127.0.0.1:%s")
+ setWebserverConfig({password="%s", apiKey="%s", statsRequireAuthentication=false })
+ """
+
+ def testAuth(self):
+ """
+ API: Stats do not require authentication
+ """
+
+ for path in self._noAuthenticationPaths:
+ url = 'http://127.0.0.1:' + str(self._webServerPort) + path
+
+ r = requests.get(url, timeout=self._webTimeout)
+ self.assertTrue(r)
+ self.assertEquals(r.status_code, 200)
+
+ # these should still require basic authentication
+ for path in [self._basicOnlyPath]:
+ url = 'http://127.0.0.1:' + str(self._webServerPort) + path
+
+ r = requests.get(url, timeout=self._webTimeout)
+ self.assertEquals(r.status_code, 401)
+
+ r = requests.get(url, auth=('whatever', self._webServerBasicAuthPassword), timeout=self._webTimeout)
+ self.assertTrue(r)
+ self.assertEquals(r.status_code, 200)
+
+ # these should still require API authentication
+ for path in [self._apiOnlyPath]:
+ url = 'http://127.0.0.1:' + str(self._webServerPort) + path
+
+ r = requests.get(url, timeout=self._webTimeout)
+ self.assertEquals(r.status_code, 401)
+
+ headers = {'x-api-key': self._webServerAPIKey}
+ r = requests.get(url, headers=headers, timeout=self._webTimeout)
+ self.assertTrue(r)
+ self.assertEquals(r.status_code, 200)
class TestAPIAuth(DNSDistTest):
controlSocket("127.0.0.1:%s")
setACL({"127.0.0.1/32", "::1/128"})
newServer{address="127.0.0.1:%s"}
- webserver("127.0.0.1:%s", "%s", "%s")
+ webserver("127.0.0.1:%s")
+ setWebserverConfig({password="%s", apiKey="%s"})
"""
def testBasicAuthChange(self):
controlSocket("127.0.0.1:%s")
setACL({"127.0.0.1/32", "::1/128"})
newServer{address="127.0.0.1:%s"}
- webserver("127.0.0.1:%s", "%s", "%s", {}, "192.0.2.1")
+ webserver("127.0.0.1:%s")
+ setWebserverConfig({password="%s", apiKey="%s", acl="192.0.2.1"})
"""
def testACLChange(self):
_dynBlockQPS = 10
_dynBlockPeriod = 2
_dynBlockDuration = 5
- _config_params = ['_dynBlockQPS', '_dynBlockPeriod', '_dynBlockDuration', '_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
_config_template = """
function maintenance()
addDynBlocks(exceedQRate(%d, %d), "Exceeded query rate", %d)
end
newServer{address="127.0.0.1:%s"}
- webserver("127.0.0.1:%s", "%s", "%s")
+ webserver("127.0.0.1:%s")
+ setWebserverConfig({password="%s", apiKey="%s"})
"""
+ _config_params = ['_dynBlockQPS', '_dynBlockPeriod', '_dynBlockDuration', '_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
def testDynBlocksQRate(self):
"""
_dynBlockQPS = 10
_dynBlockPeriod = 2
_dynBlockDuration = 5
- _config_params = ['_dynBlockQPS', '_dynBlockPeriod', '_dynBlockDuration', '_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
_config_template = """
local dbr = dynBlockRulesGroup()
dbr:setQueryRate(%d, %d, "Exceeded query rate", %d)
dbr:apply()
end
newServer{address="127.0.0.1:%s"}
- webserver("127.0.0.1:%s", "%s", "%s")
+ webserver("127.0.0.1:%s")
+ setWebserverConfig({password="%s", apiKey="%s"})
"""
+ _config_params = ['_dynBlockQPS', '_dynBlockPeriod', '_dynBlockDuration', '_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
def testDynBlocksQRate(self):
"""
_dynBlockQPS = 10
_dynBlockPeriod = 2
_dynBlockDuration = 5
- _config_params = ['_dynBlockQPS', '_dynBlockPeriod', '_dynBlockDuration', '_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
_config_template = """
local dbr = dynBlockRulesGroup()
dbr:setQueryRate(%d, %d, "Exceeded query rate", %d, DNSAction.NoOp)
end
newServer{address="127.0.0.1:%s"}
- webserver("127.0.0.1:%s", "%s", "%s")
+ webserver("127.0.0.1:%s")
+ setWebserverConfig({password="%s", apiKey="%s"})
"""
+ _config_params = ['_dynBlockQPS', '_dynBlockPeriod', '_dynBlockDuration', '_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
def testNoOp(self):
"""
_dynBlockQPS = 20
_dynBlockPeriod = 2
_dynBlockDuration = 5
- _config_params = ['_dynBlockQPS', '_dynBlockPeriod', '_dynBlockDuration', '_dynBlockWarningQPS', '_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
_config_template = """
local dbr = dynBlockRulesGroup()
dbr:setQueryRate(%d, %d, "Exceeded query rate", %d, DNSAction.Drop, %d)
end
newServer{address="127.0.0.1:%s"}
- webserver("127.0.0.1:%s", "%s", "%s")
+ webserver("127.0.0.1:%s")
+ setWebserverConfig({password="%s", apiKey="%s"})
"""
+ _config_params = ['_dynBlockQPS', '_dynBlockPeriod', '_dynBlockDuration', '_dynBlockWarningQPS', '_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
def testWarning(self):
"""
_config_params = ['_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
_config_template = """
newServer{address="127.0.0.1:%s"}
- webserver("127.0.0.1:%s", "%s", "%s")
+ webserver("127.0.0.1:%s")
+ setWebserverConfig({password="%s", apiKey="%s"})
"""
def checkPrometheusContentBasic(self, content):
_config_params = ['_testServerPort', '_testServerRetries', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
_config_template = """
newServer{address="127.0.0.1:%s", useClientSubnet=true, tcpFastOpen=true, retries=%d }
- webserver("127.0.0.1:%s", "%s", "%s")
+ webserver("127.0.0.1:%s")
+ setWebserverConfig({password="%s", apiKey="%s"})
"""
@classmethod
projects / thirdparty / pdns.git / commitdiff
