Merge pull request #71 from gmarsay/add-shared-secret

Add SHARED_SECRET
2020-06-15 22:00:06 +02:00 · 2020-06-15 22:00:06 +02:00 · 73ff7aa496
parent 1e78b20860 96c33da446
commit 73ff7aa496
4 changed files with 23 additions and 5 deletions
--- a/lg.cfg
+++ b/lg.cfg
@ -5,6 +5,9 @@ LOG_LEVEL="WARNING"

 DOMAIN = "tetaneutral.net"

+# Used for restrict access on lgproxy - must be same in lgproxy.cfg
+SHARED_SECRET="ThisTokenIsNotSecret"
+
 BIND_IP = "0.0.0.0"
 BIND_PORT = 5000

--- a/lg.py
+++ b/lg.py
@ -153,7 +153,8 @@ def bird_proxy(host, proto, service, query):
    if "DOMAIN" in app.config:
        url = "%s.%s" % (url, app.config["DOMAIN"])
    url = "%s:%d/%s?" % (url, port, path)
-
+    if "SHARED_SECRET" in app.config:
+        url = "%ssecret=%s&" % (url, app.config["SHARED_SECRET"])
    url = "%sq=%s" % (url, quote(query))

    try:
--- a/lgproxy.cfg
+++ b/lgproxy.cfg
@ -1,12 +1,21 @@

 DEBUG=False
+
 LOG_FILE="/var/log/lg-proxy/lg-proxy.log"
 LOG_LEVEL="WARNING"
+
 BIND_IP = "0.0.0.0"
 BIND_PORT = 5000
+
+# Used for restrict access on lgproxy - Empty list = all allowed
 ACCESS_LIST = ["91.224.149.206", "178.33.111.110", "2a01:6600:8081:ce00::1"]
+
+# Used for restrict access on lgproxy - Must be same in lg.cfg
+SHARED_SECRET="ThisTokenIsNotSecret"
+
 IPV4_SOURCE=""
 IPV6_SOURCE=""
+
 BIRD_SOCKET="/var/run/bird/bird.ctl"
 BIRD6_SOCKET="/var/run/bird/bird6.ctl"

--- a/lgproxy.py
+++ b/lgproxy.py
@ -54,14 +54,19 @@ def access_log_after(response, *args, **kwargs):
    app.logger.info("[%s] reponse %s, %s", request.remote_addr,  request.url, response.status_code)
    return response

-def check_accesslist():
-    if  app.config["ACCESS_LIST"] and request.remote_addr not in app.config["ACCESS_LIST"]:
+def check_security():
+    if app.config["ACCESS_LIST"] and request.remote_addr not in app.config["ACCESS_LIST"]:
+        app.logger.info("Your remote address is not valid")
+        abort(401)
+
+    if app.config.get('SHARED_SECRET') and request.args.get("secret") != app.config["SHARED_SECRET"]:
+        app.logger.info("Your shared secret is not valid")
        abort(401)

@app.route("/traceroute")
@app.route("/traceroute6")
 def traceroute():
-    check_accesslist()
+    check_security()
    
    if sys.platform.startswith('freebsd') or sys.platform.startswith('netbsd') or sys.platform.startswith('openbsd'):
        traceroute4 = [ 'traceroute' ]
@ -100,7 +105,7 @@ def traceroute():
@app.route("/bird")
@app.route("/bird6")
 def bird():
-    check_accesslist()
+    check_security()

    if request.path == "/bird": b = BirdSocket(file=app.config.get("BIRD_SOCKET"))
    elif request.path == "/bird6": b = BirdSocket(file=app.config.get("BIRD6_SOCKET"))