From: Christian Hofstaedtler Date: Mon, 5 Sep 2016 13:55:23 +0000 (+0200) Subject: Authoritative: do not rely on webserver=yes if api=yes X-Git-Tag: dnsdist-1.1.0-beta2~143^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=536ab56f5d6e3f657c787c2e6be1a55c7a422241;p=thirdparty%2Fpdns.git Authoritative: do not rely on webserver=yes if api=yes --- diff --git a/docs/markdown/authoritative/settings.md b/docs/markdown/authoritative/settings.md index d3716a0cb7..5b0ef888df 100644 --- a/docs/markdown/authoritative/settings.md +++ b/docs/markdown/authoritative/settings.md @@ -80,8 +80,7 @@ remote server to TCP. Useful for mitigating reflection attacks. * Default: no * Available since: 4.0 -Enable/disable the [REST API](../httpapi/README.md). Must also enable `webserver` -to use the API. +Enable/disable the [REST API](../httpapi/README.md). ## `api-key` * String @@ -806,20 +805,23 @@ this response to a custom value as well. * Boolean * Default: no -Start a webserver for monitoring (and REST API if enabled). See +Start a webserver for monitoring. See ["Performance Monitoring"](../common/logging.md#performance-monitoring). +Before 4.1.0, it was necessary to enable the webserver to use the REST API, +this is no longer the case. ## `webserver-address` * IP Address * Default: 127.0.0.1 -IP Address of webserver to listen on. See +IP Address for webserver/API to listen on. See ["Performance Monitoring"](../common/logging.md#performance-monitoring). ## `webserver-allow-from` * IP ranges, separated by commas or whitespace +* Default: 0.0.0.0/0,::/0 -Webserver access is only allowed from these subnets +Webserver/API access is only allowed from these subnets. ## `webserver-password` * String @@ -831,7 +833,7 @@ The plaintext password required for accessing the webserver. See * Integer * Default: 8001 -The port where webserver to listen on. See ["Performance Monitoring"](../common/logging.md#performance-monitoring). +The port where webserver/API will listen on. See ["Performance Monitoring"](../common/logging.md#performance-monitoring). ## `webserver-print-arguments` * Boolean diff --git a/docs/markdown/httpapi/README.md b/docs/markdown/httpapi/README.md index 921fbb3c6c..9a40eebe7b 100644 --- a/docs/markdown/httpapi/README.md +++ b/docs/markdown/httpapi/README.md @@ -17,7 +17,6 @@ Then configure as follows: api=yes api-key=changeme - webserver=yes After restarting `pdns_server`, the following examples should start working: diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc index a9eabf271f..6c0751ae9b 100644 --- a/pdns/common_startup.cc +++ b/pdns/common_startup.cc @@ -77,7 +77,7 @@ void declareArguments() ::arg().set("max-queue-length","Maximum queuelength before considering situation lost")="5000"; ::arg().set("retrieval-threads", "Number of AXFR-retrieval threads for slave operation")="2"; - ::arg().setSwitch("api", "Enable/disable the REST API")="no"; + ::arg().setSwitch("api", "Enable/disable the REST API (including HTTP listener)")="no"; ::arg().set("api-key", "Static pre-shared authentication key for access to the REST API")=""; ::arg().set("api-logfile", "Location of the server logfile (used by the REST API)")="/var/log/pdns.log"; ::arg().setSwitch("api-readonly", "Disallow data modification through the REST API when set")="no"; @@ -125,14 +125,15 @@ void declareArguments() ::arg().setSwitch("disable-axfr-rectify","Disable the rectify step during an outgoing AXFR. Only required for regression testing.")="no"; ::arg().setSwitch("guardian","Run within a guardian process")="no"; ::arg().setSwitch("prevent-self-notification","Don't send notifications to what we think is ourself")="yes"; - ::arg().setSwitch("webserver","Start a webserver for monitoring")="no"; - ::arg().setSwitch("webserver-print-arguments","If the webserver should print arguments")="no"; - ::arg().setSwitch("edns-subnet-processing","If we should act on EDNS Subnet options")="no"; - ::arg().setSwitch("any-to-tcp","Answer ANY queries with tc=1, shunting to TCP")="yes"; - ::arg().set("webserver-address","IP Address of webserver to listen on")="127.0.0.1"; - ::arg().set("webserver-port","Port of webserver to listen on")="8081"; + ::arg().setSwitch("any-to-tcp","Answer ANY queries with tc=1, shunting to TCP")="yes"; + ::arg().setSwitch("edns-subnet-processing","If we should act on EDNS Subnet options")="no"; + + ::arg().setSwitch("webserver","Start a webserver for monitoring (api=yes also enables the HTTP listener)")="no"; + ::arg().setSwitch("webserver-print-arguments","If the webserver should print arguments")="no"; + ::arg().set("webserver-address","IP Address of webserver/API to listen on")="127.0.0.1"; + ::arg().set("webserver-port","Port of webserver/API to listen on")="8081"; ::arg().set("webserver-password","Password required for accessing the webserver")=""; - ::arg().set("webserver-allow-from","Webserver access is only allowed from these subnets")="0.0.0.0/0,::/0"; + ::arg().set("webserver-allow-from","Webserver/API access is only allowed from these subnets")="0.0.0.0/0,::/0"; ::arg().setSwitch("out-of-zone-additional-processing","Do out of zone additional processing")="yes"; ::arg().setSwitch("do-ipv6-additional-processing", "Do AAAA additional processing")="yes"; @@ -526,7 +527,7 @@ void mainthread() pthread_t qtid; - if(::arg().mustDo("webserver")) + if(::arg().mustDo("webserver") || ::arg().mustDo("api")) webserver.go(); if(::arg().mustDo("slave") || ::arg().mustDo("master")) diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc index 5934a3b6b8..614e88daf7 100644 --- a/pdns/ws-auth.cc +++ b/pdns/ws-auth.cc @@ -60,7 +60,7 @@ AuthWebServer::AuthWebServer() d_min10=d_min5=d_min1=0; d_ws = 0; d_tid = 0; - if(arg().mustDo("webserver")) { + if(arg().mustDo("webserver") || arg().mustDo("api")) { d_ws = new WebServer(arg()["webserver-address"], arg().asNum("webserver-port")); d_ws->bind(); } @@ -68,12 +68,9 @@ AuthWebServer::AuthWebServer() void AuthWebServer::go() { - if(arg().mustDo("webserver")) - { - S.doRings(); - pthread_create(&d_tid, 0, webThreadHelper, this); - pthread_create(&d_tid, 0, statThreadHelper, this); - } + S.doRings(); + pthread_create(&d_tid, 0, webThreadHelper, this); + pthread_create(&d_tid, 0, statThreadHelper, this); } void AuthWebServer::statThread() @@ -1256,8 +1253,10 @@ void AuthWebServer::webThread() d_ws->registerApiHandler("/api/v1/servers", &apiServer); d_ws->registerApiHandler("/api", &apiDiscovery); } - d_ws->registerWebHandler("/style.css", boost::bind(&AuthWebServer::cssfunction, this, _1, _2)); - d_ws->registerWebHandler("/", boost::bind(&AuthWebServer::indexfunction, this, _1, _2)); + if (::arg().mustDo("webserver")) { + d_ws->registerWebHandler("/style.css", boost::bind(&AuthWebServer::cssfunction, this, _1, _2)); + d_ws->registerWebHandler("/", boost::bind(&AuthWebServer::indexfunction, this, _1, _2)); + } d_ws->go(); } catch(...) { diff --git a/regression-tests.api/runtests.py b/regression-tests.api/runtests.py index 18189424c8..6eb0ee15a3 100755 --- a/regression-tests.api/runtests.py +++ b/regression-tests.api/runtests.py @@ -100,7 +100,7 @@ if daemon == 'authoritative': named_conf.write(AUTH_CONF_TPL) subprocess.check_call(["../pdns/pdnsutil", "--config-dir=.", "secure-zone", "powerdnssec.org"]) - pdnscmd = ("../pdns/pdns_server --daemon=no --local-address=127.0.0.1 --local-port=5300 --socket-dir=./ --no-shuffle --dnsupdate=yes --cache-ttl=0 --config-dir=. --api=yes --webserver=yes --webserver-port="+WEBPORT+" --webserver-address=127.0.0.1 --webserver-password=something --api-key="+APIKEY).split() + pdnscmd = ("../pdns/pdns_server --daemon=no --local-address=127.0.0.1 --local-port=5300 --socket-dir=./ --no-shuffle --dnsupdate=yes --cache-ttl=0 --config-dir=. --api=yes --webserver-port="+WEBPORT+" --webserver-address=127.0.0.1 --api-key="+APIKEY).split() else: conf_dir = 'rec-conf.d'