forked from hswaw/hscloud
implement basic ACL for debug http
This commit is contained in:
parent
2a6175cf6f
commit
446c9e1fa6
2 changed files with 31 additions and 1 deletions
1
README
1
README
|
@ -43,6 +43,7 @@ The following flags are automatically registered:
|
||||||
|
|
||||||
- `-listen_address` (default: `127.0.0.1:4200`): where to listen for gRPC requests
|
- `-listen_address` (default: `127.0.0.1:4200`): where to listen for gRPC requests
|
||||||
- `-debug_address` (default: `127.0.0.1:4201`): where to listen for debug HTTP requests
|
- `-debug_address` (default: `127.0.0.1:4201`): where to listen for debug HTTP requests
|
||||||
|
- `-debug_allow_all` (default: false): whether to allow all IP address (vs. localhost) to connect to debug endpoint
|
||||||
|
|
||||||
Since this library also includes [hspki](https://code.hackerspace.pl/q3k/hspki), you also get all the typical `-hspki_{...}` flags included.
|
Since this library also includes [hspki](https://code.hackerspace.pl/q3k/hspki), you also get all the typical `-hspki_{...}` flags included.
|
||||||
|
|
||||||
|
|
31
mirko.go
31
mirko.go
|
@ -19,11 +19,13 @@ import (
|
||||||
var (
|
var (
|
||||||
flagListenAddress string
|
flagListenAddress string
|
||||||
flagDebugAddress string
|
flagDebugAddress string
|
||||||
|
flagDebugAllowAll bool
|
||||||
)
|
)
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
flag.StringVar(&flagListenAddress, "listen_address", "127.0.0.1:4200", "gRPC listen address")
|
flag.StringVar(&flagListenAddress, "listen_address", "127.0.0.1:4200", "gRPC listen address")
|
||||||
flag.StringVar(&flagDebugAddress, "debug_address", "127.0.0.1:4201", "HTTP debug/status listen address")
|
flag.StringVar(&flagDebugAddress, "debug_address", "127.0.0.1:4201", "HTTP debug/status listen address")
|
||||||
|
flag.StringVar(&flagDebugAllowAll, "debug_allow_all", false, "HTTP debug/status available to everyone")
|
||||||
flag.Set("logtostderr", "true")
|
flag.Set("logtostderr", "true")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -39,8 +41,28 @@ func New() *Mirko {
|
||||||
return &Mirko{}
|
return &Mirko{}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func authRequest(req *http.Request) (any, sensitive bool) {
|
||||||
|
host, _, err := net.SplitHostPort(req.RemoteAddr)
|
||||||
|
if err != nil {
|
||||||
|
host = req.RemoteAddr
|
||||||
|
}
|
||||||
|
|
||||||
|
if flagDebugAllowAll {
|
||||||
|
return true, true
|
||||||
|
}
|
||||||
|
|
||||||
|
switch host {
|
||||||
|
case "localhost", "127.0.0.1", "::1":
|
||||||
|
return true, true
|
||||||
|
default:
|
||||||
|
return false, false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func (m *Mirko) Listen() error {
|
func (m *Mirko) Listen() error {
|
||||||
grpc.EnableTracing = true
|
grpc.EnableTracing = true
|
||||||
|
trace.AuthRequest = authRequest
|
||||||
|
|
||||||
grpcLis, err := net.Listen("tcp", flagListenAddress)
|
grpcLis, err := net.Listen("tcp", flagListenAddress)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("net.Listen: %v", err)
|
return fmt.Errorf("net.Listen: %v", err)
|
||||||
|
@ -56,7 +78,14 @@ func (m *Mirko) Listen() error {
|
||||||
|
|
||||||
m.httpMux = http.NewServeMux()
|
m.httpMux = http.NewServeMux()
|
||||||
// Canonical URLs
|
// Canonical URLs
|
||||||
m.httpMux.HandleFunc("/debug/status", statusz.StatusHandler)
|
m.httpMux.HandleFunc("/debug/status", func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
any, sensitive := authRequest(r)
|
||||||
|
if !any {
|
||||||
|
http.Error(w, "not allowed", http.StatusUnauthorized)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
statusz.StatusHandler(w, r)
|
||||||
|
})
|
||||||
m.httpMux.HandleFunc("/debug/requests", trace.Traces)
|
m.httpMux.HandleFunc("/debug/requests", trace.Traces)
|
||||||
|
|
||||||
// -z legacy URLs
|
// -z legacy URLs
|
||||||
|
|
Loading…
Reference in a new issue