forked from hswaw/hscloud
implement basic ACL for debug http
This commit is contained in:
parent
2a6175cf6f
commit
446c9e1fa6
2 changed files with 31 additions and 1 deletions
1
README
1
README
|
@ -43,6 +43,7 @@ The following flags are automatically registered:
|
|||
|
||||
- `-listen_address` (default: `127.0.0.1:4200`): where to listen for gRPC requests
|
||||
- `-debug_address` (default: `127.0.0.1:4201`): where to listen for debug HTTP requests
|
||||
- `-debug_allow_all` (default: false): whether to allow all IP address (vs. localhost) to connect to debug endpoint
|
||||
|
||||
Since this library also includes [hspki](https://code.hackerspace.pl/q3k/hspki), you also get all the typical `-hspki_{...}` flags included.
|
||||
|
||||
|
|
31
mirko.go
31
mirko.go
|
@ -19,11 +19,13 @@ import (
|
|||
var (
|
||||
flagListenAddress string
|
||||
flagDebugAddress string
|
||||
flagDebugAllowAll bool
|
||||
)
|
||||
|
||||
func init() {
|
||||
flag.StringVar(&flagListenAddress, "listen_address", "127.0.0.1:4200", "gRPC listen address")
|
||||
flag.StringVar(&flagDebugAddress, "debug_address", "127.0.0.1:4201", "HTTP debug/status listen address")
|
||||
flag.StringVar(&flagDebugAllowAll, "debug_allow_all", false, "HTTP debug/status available to everyone")
|
||||
flag.Set("logtostderr", "true")
|
||||
}
|
||||
|
||||
|
@ -39,8 +41,28 @@ func New() *Mirko {
|
|||
return &Mirko{}
|
||||
}
|
||||
|
||||
func authRequest(req *http.Request) (any, sensitive bool) {
|
||||
host, _, err := net.SplitHostPort(req.RemoteAddr)
|
||||
if err != nil {
|
||||
host = req.RemoteAddr
|
||||
}
|
||||
|
||||
if flagDebugAllowAll {
|
||||
return true, true
|
||||
}
|
||||
|
||||
switch host {
|
||||
case "localhost", "127.0.0.1", "::1":
|
||||
return true, true
|
||||
default:
|
||||
return false, false
|
||||
}
|
||||
}
|
||||
|
||||
func (m *Mirko) Listen() error {
|
||||
grpc.EnableTracing = true
|
||||
trace.AuthRequest = authRequest
|
||||
|
||||
grpcLis, err := net.Listen("tcp", flagListenAddress)
|
||||
if err != nil {
|
||||
return fmt.Errorf("net.Listen: %v", err)
|
||||
|
@ -56,7 +78,14 @@ func (m *Mirko) Listen() error {
|
|||
|
||||
m.httpMux = http.NewServeMux()
|
||||
// Canonical URLs
|
||||
m.httpMux.HandleFunc("/debug/status", statusz.StatusHandler)
|
||||
m.httpMux.HandleFunc("/debug/status", func(w http.ResponseWriter, r *http.Request) {
|
||||
any, sensitive := authRequest(r)
|
||||
if !any {
|
||||
http.Error(w, "not allowed", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
statusz.StatusHandler(w, r)
|
||||
})
|
||||
m.httpMux.HandleFunc("/debug/requests", trace.Traces)
|
||||
|
||||
// -z legacy URLs
|
||||
|
|
Loading…
Reference in a new issue