From bfd09a79558b9f682e8bcfc8612d50b9a0f7ce5d Mon Sep 17 00:00:00 2001 From: Guillaume Marsay Date: Tue, 21 Apr 2020 16:58:34 +0200 Subject: [PATCH] Add security by token and optional domain --- lg.cfg | 2 ++ lg.py | 33 ++++++++++++++++++++++----------- lgproxy.cfg | 1 + lgproxy.py | 17 ++++++++++++----- 4 files changed, 37 insertions(+), 16 deletions(-) diff --git a/lg.cfg b/lg.cfg index 2cc3388..1bb5ee1 100644 --- a/lg.cfg +++ b/lg.cfg @@ -5,6 +5,8 @@ LOG_LEVEL="WARNING" DOMAIN = "tetaneutral.net" +SECURITY_TOKEN = "ThisTokenIsNotSecret" + BIND_IP = "0.0.0.0" BIND_PORT = 5000 diff --git a/lg.py b/lg.py index 2db377f..15da499 100644 --- a/lg.py +++ b/lg.py @@ -144,16 +144,24 @@ def bird_proxy(host, proto, service, query): return False, 'Host "%s" invalid' % host elif not path: return False, 'Proto "%s" invalid' % proto - else: - url = "http://%s.%s:%d/%s?q=%s" % (host, app.config["DOMAIN"], port, path, quote(query)) - try: - f = urlopen(url) - resultat = f.read() - status = True # retreive remote status - except IOError: - resultat = "Failed retreive url: %s" % url - status = False - return status, resultat + + url = "http://%s" % (host) + if "DOMAIN" in app.config: + url = "%s.%s" % (url, app.config["DOMAIN"]) + url = "%s:%d/%s?" % (url, port, path) + if "SECURITY_TOKEN" in app.config: + url = "%stoken=%s&" % (url, app.config["SECURITY_TOKEN"]) + url = "%sq=%s" % (url, quote(query)) + + try: + f = urlopen(url) + resultat = f.read() + status = True # retreive remote status + except IOError: + resultat = "Failed retreive url: %s" % url + status = False + + return status, resultat @app.context_processor @@ -455,7 +463,10 @@ def show_bgpmap(): return edges[edge_tuple] for host, asmaps in data.iteritems(): - add_node(host, label= "%s\r%s" % (host.upper(), app.config["DOMAIN"].upper()), shape="box", fillcolor="#F5A9A9") + if "DOMAIN" in app.config: + add_node(host, label= "%s\r%s" % (host.upper(), app.config["DOMAIN"].upper()), shape="box", fillcolor="#F5A9A9") + else: + add_node(host, label= "%s" % (host.upper()), shape="box", fillcolor="#F5A9A9") as_number = app.config["AS_NUMBER"].get(host, None) if as_number: diff --git a/lgproxy.cfg b/lgproxy.cfg index e7a6e8a..0577aa1 100644 --- a/lgproxy.cfg +++ b/lgproxy.cfg @@ -5,6 +5,7 @@ LOG_LEVEL="WARNING" BIND_IP = "0.0.0.0" BIND_PORT = 5000 ACCESS_LIST = ["91.224.149.206", "178.33.111.110", "2a01:6600:8081:ce00::1"] +SECURITY_TOKEN = "ThisTokenIsNotSecret" IPV4_SOURCE="" IPV6_SOURCE="" BIRD_SOCKET="/var/run/bird/bird.ctl" diff --git a/lgproxy.py b/lgproxy.py index e6018f0..f318eed 100644 --- a/lgproxy.py +++ b/lgproxy.py @@ -48,14 +48,21 @@ def access_log_after(response, *args, **kwargs): app.logger.info("[%s] reponse %s, %s", request.remote_addr, request.url, response.status_code) return response -def check_accesslist(): - if app.config["ACCESS_LIST"] and request.remote_addr not in app.config["ACCESS_LIST"]: - abort(401) +def check_security(): + if "ACCESS_LIST" in app.config: + if request.remote_addr not in app.config["ACCESS_LIST"]: + app.logger.warning("Your remote address is not valid") + abort(401) + + if "SECURITY_TOKEN" in app.config: + if request.args.get("token") != app.config["SECURITY_TOKEN"]: + app.logger.warning("Your security token is not valid") + abort(401) @app.route("/traceroute") @app.route("/traceroute6") def traceroute(): - check_accesslist() + check_security() if sys.platform.startswith('freebsd') or sys.platform.startswith('netbsd') or sys.platform.startswith('openbsd'): traceroute4 = [ 'traceroute' ] @@ -94,7 +101,7 @@ def traceroute(): @app.route("/bird") @app.route("/bird6") def bird(): - check_accesslist() + check_security() if request.path == "/bird": b = BirdSocket(file=app.config.get("BIRD_SOCKET")) elif request.path == "/bird6": b = BirdSocket(file=app.config.get("BIRD6_SOCKET"))