1
0
Fork 0
mirror of https://github.com/sileht/bird-lg.git synced 2024-11-25 08:14:42 +01:00

Add SHARED_SECRET

This commit is contained in:
Guillaume Marsay 2020-06-15 13:27:26 +02:00
parent 1e78b20860
commit 96c33da446
4 changed files with 23 additions and 5 deletions

3
lg.cfg
View file

@ -5,6 +5,9 @@ LOG_LEVEL="WARNING"
DOMAIN = "tetaneutral.net" DOMAIN = "tetaneutral.net"
# Used for restrict access on lgproxy - must be same in lgproxy.cfg
SHARED_SECRET="ThisTokenIsNotSecret"
BIND_IP = "0.0.0.0" BIND_IP = "0.0.0.0"
BIND_PORT = 5000 BIND_PORT = 5000

3
lg.py
View file

@ -153,7 +153,8 @@ def bird_proxy(host, proto, service, query):
if "DOMAIN" in app.config: if "DOMAIN" in app.config:
url = "%s.%s" % (url, app.config["DOMAIN"]) url = "%s.%s" % (url, app.config["DOMAIN"])
url = "%s:%d/%s?" % (url, port, path) url = "%s:%d/%s?" % (url, port, path)
if "SHARED_SECRET" in app.config:
url = "%ssecret=%s&" % (url, app.config["SHARED_SECRET"])
url = "%sq=%s" % (url, quote(query)) url = "%sq=%s" % (url, quote(query))
try: try:

View file

@ -1,12 +1,21 @@
DEBUG=False DEBUG=False
LOG_FILE="/var/log/lg-proxy/lg-proxy.log" LOG_FILE="/var/log/lg-proxy/lg-proxy.log"
LOG_LEVEL="WARNING" LOG_LEVEL="WARNING"
BIND_IP = "0.0.0.0" BIND_IP = "0.0.0.0"
BIND_PORT = 5000 BIND_PORT = 5000
# Used for restrict access on lgproxy - Empty list = all allowed
ACCESS_LIST = ["91.224.149.206", "178.33.111.110", "2a01:6600:8081:ce00::1"] ACCESS_LIST = ["91.224.149.206", "178.33.111.110", "2a01:6600:8081:ce00::1"]
# Used for restrict access on lgproxy - Must be same in lg.cfg
SHARED_SECRET="ThisTokenIsNotSecret"
IPV4_SOURCE="" IPV4_SOURCE=""
IPV6_SOURCE="" IPV6_SOURCE=""
BIRD_SOCKET="/var/run/bird/bird.ctl" BIRD_SOCKET="/var/run/bird/bird.ctl"
BIRD6_SOCKET="/var/run/bird/bird6.ctl" BIRD6_SOCKET="/var/run/bird/bird6.ctl"

View file

@ -54,14 +54,19 @@ def access_log_after(response, *args, **kwargs):
app.logger.info("[%s] reponse %s, %s", request.remote_addr, request.url, response.status_code) app.logger.info("[%s] reponse %s, %s", request.remote_addr, request.url, response.status_code)
return response return response
def check_accesslist(): def check_security():
if app.config["ACCESS_LIST"] and request.remote_addr not in app.config["ACCESS_LIST"]: if app.config["ACCESS_LIST"] and request.remote_addr not in app.config["ACCESS_LIST"]:
app.logger.info("Your remote address is not valid")
abort(401)
if app.config.get('SHARED_SECRET') and request.args.get("secret") != app.config["SHARED_SECRET"]:
app.logger.info("Your shared secret is not valid")
abort(401) abort(401)
@app.route("/traceroute") @app.route("/traceroute")
@app.route("/traceroute6") @app.route("/traceroute6")
def traceroute(): def traceroute():
check_accesslist() check_security()
if sys.platform.startswith('freebsd') or sys.platform.startswith('netbsd') or sys.platform.startswith('openbsd'): if sys.platform.startswith('freebsd') or sys.platform.startswith('netbsd') or sys.platform.startswith('openbsd'):
traceroute4 = [ 'traceroute' ] traceroute4 = [ 'traceroute' ]
@ -100,7 +105,7 @@ def traceroute():
@app.route("/bird") @app.route("/bird")
@app.route("/bird6") @app.route("/bird6")
def bird(): def bird():
check_accesslist() check_security()
if request.path == "/bird": b = BirdSocket(file=app.config.get("BIRD_SOCKET")) if request.path == "/bird": b = BirdSocket(file=app.config.get("BIRD_SOCKET"))
elif request.path == "/bird6": b = BirdSocket(file=app.config.get("BIRD6_SOCKET")) elif request.path == "/bird6": b = BirdSocket(file=app.config.get("BIRD6_SOCKET"))