From 5ce41edc038caa629f918890eb9ea3a23346319a Mon Sep 17 00:00:00 2001 From: florian Date: Mon, 26 Apr 2021 22:22:34 +0200 Subject: [PATCH] api - whitelist IP/network for API --- confs/global/crowdsec.conf | 2 +- confs/site/main-lua.conf | 2 +- entrypoint/defaults.sh | 1 + entrypoint/global-config.sh | 3 ++- lua/api.lua | 9 ++++++--- lua/blacklist.lua | 2 +- lua/whitelist.lua | 2 +- 7 files changed, 13 insertions(+), 8 deletions(-) diff --git a/confs/global/crowdsec.conf b/confs/global/crowdsec.conf index 9551e2e..6917259 100644 --- a/confs/global/crowdsec.conf +++ b/confs/global/crowdsec.conf @@ -5,5 +5,5 @@ init_by_lua_block { ngx.log(ngx.ERR, "[Crowdsec] " .. err) error() end - ngx.log(ngx.ERR, "[Crowdsec] Initialisation done") + ngx.log(ngx.WARN, "[Crowdsec] Initialisation done") } diff --git a/confs/site/main-lua.conf b/confs/site/main-lua.conf index ceea8e3..5d17db5 100644 --- a/confs/site/main-lua.conf +++ b/confs/site/main-lua.conf @@ -136,7 +136,7 @@ if use_crowdsec then ngx.log(ngx.ERR, "[Crowdsec] " .. err) end if not ok then - ngx.log(ngx.ERR, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "'") + ngx.log(ngx.WARN, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "'") ngx.exit(ngx.HTTP_FORBIDDEN) end end diff --git a/entrypoint/defaults.sh b/entrypoint/defaults.sh index 016029f..f5fc30c 100644 --- a/entrypoint/defaults.sh +++ b/entrypoint/defaults.sh @@ -128,4 +128,5 @@ ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}" USE_CROWDSEC="${USE_CROWDSEC-no}" USE_API="${USE_API-no}" API_URI="${API_URI-random}" +API_WHITELIST_IP="${API_WHITELIST_IP-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}" SWARM_MODE="${SWARM_MODE-no}" diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh index fa7c3a8..ce9ff9d 100644 --- a/entrypoint/global-config.sh +++ b/entrypoint/global-config.sh @@ -220,7 +220,8 @@ if [ "$USE_API" = "yes" ] ; then API_URI="/$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" echo "[*] Generated API URI : $API_URI" fi - replace_in_file "/etc/nginx/api.conf" "%API_URI%" "$API_URI" + list=$(spaces_to_lua "$API_WHITELIST_IP") + replace_in_file "/usr/local/lib/lua/api.lua" "%API_WHITELIST_IP%" "$list" else replace_in_file "/etc/nginx/nginx.conf" "%USE_API%" "" fi diff --git a/lua/api.lua b/lua/api.lua index 8e4e24b..22c0280 100644 --- a/lua/api.lua +++ b/lua/api.lua @@ -1,5 +1,8 @@ -local M = {} -local api_list = {} +local M = {} +local api_list = {} +local api_whitelist_ip = {%API_WHITELIST_IP%} +local whitelist = iputils.parse_cidrs(api_whitelist_ip) +local ip = ngx.var.remote_addr api_list["^/ping$"] = function () return true @@ -10,7 +13,7 @@ api_list["^/reload$"] = function () end function M.is_api_call (api_uri) - if ngx.var.request_uri:sub(1, #api_uri) .. "/" == api_uri .. "/" then + if iputils.ip_in_cidrs(ip, whitelist) and ngx.var.request_uri:sub(1, #api_uri) .. "/" == api_uri .. "/" then for uri, code in pairs(api_list) do if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then return true diff --git a/lua/blacklist.lua b/lua/blacklist.lua index 3e852ab..112e65d 100644 --- a/lua/blacklist.lua +++ b/lua/blacklist.lua @@ -2,6 +2,7 @@ local M = {} local dns = require "dns" local iputils = require "resty.iputils" local ip_list = {%BLACKLIST_IP_LIST%} +local blacklist = iputils.parse_cidrs(ip_list) local reverse_list = {%BLACKLIST_REVERSE_LIST%} local ip = ngx.var.remote_addr @@ -23,7 +24,6 @@ end function M.check_ip () if #ip_list > 0 then - local blacklist = iputils.parse_cidrs(ip_list) if iputils.ip_in_cidrs(ip, blacklist) then ngx.shared.blacklist_ip_cache:set(ip, "ko", 86400) ngx.log(ngx.WARN, "ip " .. ip .. " is in blacklist") diff --git a/lua/whitelist.lua b/lua/whitelist.lua index df50469..ae30e4b 100644 --- a/lua/whitelist.lua +++ b/lua/whitelist.lua @@ -3,6 +3,7 @@ local dns = require "dns" local iputils = require "resty.iputils" local ip_list = {%WHITELIST_IP_LIST%} local reverse_list = {%WHITELIST_REVERSE_LIST%} +local whitelist = iputils.parse_cidrs(ip_list) local ip = ngx.var.remote_addr function M.ip_cached_ok () @@ -23,7 +24,6 @@ end function M.check_ip () if #ip_list > 0 then - local whitelist = iputils.parse_cidrs(ip_list) if iputils.ip_in_cidrs(ip, whitelist) then ngx.shared.whitelist_ip_cache:set(ip, "ok", 86400) ngx.log(ngx.WARN, "ip " .. ip .. " is in whitelist")