diff --git a/Cargo.lock b/Cargo.lock index a3a19bf..959a1d0 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -368,7 +368,7 @@ checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8" [[package]] name = "bird-looking-glass-proxy" -version = "0.0.3" +version = "0.0.4" dependencies = [ "actix-web", "birdc", diff --git a/Cargo.toml b/Cargo.toml index b1c78da..b43f90f 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "bird-looking-glass-proxy" -version = "0.0.3" +version = "0.0.4" edition = "2021" [dependencies] diff --git a/config.toml b/config.toml index e97557e..6f21423 100644 --- a/config.toml +++ b/config.toml @@ -1,9 +1,9 @@ bind_ip = "0.0.0.0" bind_port = 8000 -# Used to restrict access to bird-looking-glass-proxy based on source IP address. -# Empty list = any IP is allowed to run queries. +# Empty = no access restriction. access_list = ["127.0.0.1"] +shared_secret = "" # Used as source address when running traceroute ipv4_source="198.51.100.42" diff --git a/src/auth.rs b/src/auth.rs index 234145d..3d5a3e0 100644 --- a/src/auth.rs +++ b/src/auth.rs @@ -53,11 +53,22 @@ where Box::pin(async move { let addr = req.peer_addr().unwrap(); let access_list = &GLOBAL_CONFIG.access_list; - if access_list.contains(&addr.ip().to_string()) || access_list.is_empty() { + let shared_secret = &GLOBAL_CONFIG.shared_secret; + let provided_shared_secret = req + .headers() + .get("X-Shared-Secret") + .map(|header| header.to_str().unwrap_or_default()) + .unwrap_or_default(); + if (access_list.is_empty() && shared_secret.is_empty()) + || access_list.contains(&addr.ip().to_string()) + || shared_secret == provided_shared_secret + || (access_list.is_empty() && shared_secret == provided_shared_secret) + || (access_list.contains(&addr.ip().to_string()) && shared_secret.is_empty()) + { Ok(svc.call(req).await?) } else { Err(error::ErrorUnauthorized( - "Your remote address is not valid!", + "You do not have permission to access.", )) } }) diff --git a/src/main.rs b/src/main.rs index c9928a1..51d2dbd 100644 --- a/src/main.rs +++ b/src/main.rs @@ -13,7 +13,20 @@ lazy_static! { .arg_from_usage("-e, --example 'Export sample config file'") .get_matches(); if matches.is_present("example") { - println!("bind_ip = \"0.0.0.0\"\nbind_port = 8000\n\n# Used to restrict access to bird-looking-glass-proxy based on source IP address.\n# Empty list = any IP is allowed to run queries.\naccess_list = [\"127.0.0.1\"]\n\n# Used as source address when running traceroute\nipv4_source=\"198.51.100.42\"\nipv6_source=\"2001:db8:42::1\"\n\nbird_socket=\"/var/run/bird/bird.ctl\"\nbird6_socket=\"/var/run/bird/bird6.ctl\""); + println!("bind_ip = \"0.0.0.0\" +bind_port = 8000 + +# Empty = no access restriction. +access_list = [\"127.0.0.1\"] +shared_secret = \"\" + +# Used as source address when running traceroute +ipv4_source=\"198.51.100.42\" +ipv6_source=\"2001:db8:42::1\" + +bird_socket=\"/var/run/bird/bird.ctl\" +bird6_socket=\"/var/run/bird/bird6.ctl\""); + std::process::exit(0); } config::Config::new(matches.value_of("config").unwrap_or("config.toml"))