From: Kees Monshouwer Date: Fri, 25 Jul 2014 11:06:28 +0000 (+0200) Subject: implement acl for webserver X-Git-Tag: auth-3.4.0-rc1~15^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1629%2Fhead;p=thirdparty%2Fpdns.git implement acl for webserver --- diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc index cff84a2fb5..fdeb14060c 100644 --- a/pdns/common_startup.cc +++ b/pdns/common_startup.cc @@ -117,6 +117,7 @@ void declareArguments() ::arg().set("webserver-address","IP Address of webserver to listen on")="127.0.0.1"; ::arg().set("webserver-port","Port of webserver to listen on")="8081"; ::arg().set("webserver-password","Password required for accessing the webserver")=""; + ::arg().set("webserver-allow-from","Webserver access is only allowed from these subnets")="0.0.0.0/0,::/0"; ::arg().setSwitch("out-of-zone-additional-processing","Do out of zone additional processing")="yes"; ::arg().setSwitch("do-ipv6-additional-processing", "Do AAAA additional processing")="yes"; diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml index 5541c442ba..f74138c4ee 100644 --- a/pdns/docs/pdns.xml +++ b/pdns/docs/pdns.xml @@ -12878,6 +12878,14 @@ UPDATE records SET auth=1 WHERE auth IS NULL; + + webserver-allow-from + + + Webserver access is only allowed from these subnets + + + Removed options diff --git a/pdns/pdns.conf-dist b/pdns/pdns.conf-dist index fc767ac65c..bb62365aba 100644 --- a/pdns/pdns.conf-dist +++ b/pdns/pdns.conf-dist @@ -499,6 +499,11 @@ # # webserver-address=127.0.0.1 +################################# +# webserver-allow-from Webserver access is only allowed from these subnets +# +# webserver-allow-from=0.0.0.0/0,::/0 + ################################# # webserver-password Password required for accessing the webserver # diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index 633db7623b..eabe3c708c 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -2099,6 +2099,7 @@ int main(int argc, char **argv) ::arg().set("experimental-webserver-address", "IP Address of webserver to listen on") = "127.0.0.1"; ::arg().set("experimental-webserver-port", "Port of webserver to listen on") = "8082"; ::arg().set("experimental-webserver-password", "Password required for accessing the webserver") = ""; + ::arg().set("webserver-allow-from","Webserver access is only allowed from these subnets")="0.0.0.0/0,::/0"; ::arg().set("experimental-api-config-dir", "Directory where REST API stores config and zones") = ""; ::arg().set("carbon-ourname", "If set, overrides our reported hostname for carbon stats")=""; ::arg().set("carbon-server", "If set, send metrics in carbon (graphite) format to this server")=""; diff --git a/pdns/sstuff.hh b/pdns/sstuff.hh index 5a00362335..03bcafc1d9 100644 --- a/pdns/sstuff.hh +++ b/pdns/sstuff.hh @@ -78,6 +78,17 @@ public: return new Socket(s); } + //! Check remote address aganst netmaskgroup ng + bool acl(NetmaskGroup &ng) + { + ComboAddress remote; + socklen_t remotelen=sizeof(remote); + if(getpeername(d_socket, (struct sockaddr *)&remote, &remotelen) >= 0) + return ng.match((ComboAddress *) &remote); + + return false; + } + //! Set the socket to non-blocking void setNonBlocking() { diff --git a/pdns/webserver.cc b/pdns/webserver.cc index 0e56af580a..48b7d662f3 100644 --- a/pdns/webserver.cc +++ b/pdns/webserver.cc @@ -28,6 +28,7 @@ #include "dns.hh" #include "base64.hh" #include "json.hh" +#include "arguments.hh" #include struct connectionThreadData { @@ -287,14 +288,25 @@ void WebServer::go() try { pthread_t tid; + NetmaskGroup acl; + acl.toMasks(::arg()["webserver-allow-from"]); + while(true) { // data and data->client will be freed by thread connectionThreadData *data = new connectionThreadData; data->webServer = this; data->client = d_server->accept(); - pthread_create(&tid, 0, &WebServerConnectionThreadStart, (void *)data); + if (data->client->acl(acl)) { + pthread_create(&tid, 0, &WebServerConnectionThreadStart, (void *)data); + } else { + delete data->client; // close socket + delete data; + } } } + catch(PDNSException &e) { + L<