mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-27 06:03:48 +03:00
admin: Disable host checking if wildcard interface is specified
To clarify, listening on wildcard interfaces is NOT the default and should only be done under certain circumstances and when you know what you're doing. Emits a warning in the log. Fixes https://github.com/caddyserver/caddy-docker/issues/71
This commit is contained in:
parent
829e36d535
commit
f5ccb904a3
2 changed files with 31 additions and 13 deletions
24
admin.go
24
admin.go
|
@ -60,10 +60,11 @@ type AdminConfig struct {
|
||||||
// default.
|
// default.
|
||||||
EnforceOrigin bool `json:"enforce_origin,omitempty"`
|
EnforceOrigin bool `json:"enforce_origin,omitempty"`
|
||||||
|
|
||||||
// The list of allowed origins for API requests. Only used if
|
// The list of allowed origins/hosts for API requests. Only needed
|
||||||
// `enforce_origin` is true. If not set, the listener address
|
// if accessing the admin endpoint from a host different from the
|
||||||
// will be the default value. If set but empty, no origins will
|
// socket's network interface or if `enforce_origin` is true. If not
|
||||||
// be allowed.
|
// set, the listener address will be the default value. If set but
|
||||||
|
// empty, no origins will be allowed.
|
||||||
Origins []string `json:"origins,omitempty"`
|
Origins []string `json:"origins,omitempty"`
|
||||||
|
|
||||||
// Options related to configuration management.
|
// Options related to configuration management.
|
||||||
|
@ -99,6 +100,7 @@ func (admin AdminConfig) listenAddr() (NetworkAddress, error) {
|
||||||
func (admin AdminConfig) newAdminHandler(addr NetworkAddress) adminHandler {
|
func (admin AdminConfig) newAdminHandler(addr NetworkAddress) adminHandler {
|
||||||
muxWrap := adminHandler{
|
muxWrap := adminHandler{
|
||||||
enforceOrigin: admin.EnforceOrigin,
|
enforceOrigin: admin.EnforceOrigin,
|
||||||
|
enforceHost: !addr.isWildcardInterface(),
|
||||||
allowedOrigins: admin.allowedOrigins(addr),
|
allowedOrigins: admin.allowedOrigins(addr),
|
||||||
mux: http.NewServeMux(),
|
mux: http.NewServeMux(),
|
||||||
}
|
}
|
||||||
|
@ -234,12 +236,15 @@ func replaceAdmin(cfg *Config) error {
|
||||||
|
|
||||||
go adminServer.Serve(ln)
|
go adminServer.Serve(ln)
|
||||||
|
|
||||||
Log().Named("admin").Info(
|
Log().Named("admin").Info("admin endpoint started",
|
||||||
"admin endpoint started",
|
|
||||||
zap.String("address", addr.String()),
|
zap.String("address", addr.String()),
|
||||||
zap.Bool("enforce_origin", adminConfig.EnforceOrigin),
|
zap.Bool("enforce_origin", adminConfig.EnforceOrigin),
|
||||||
zap.Strings("origins", handler.allowedOrigins),
|
zap.Strings("origins", handler.allowedOrigins))
|
||||||
)
|
|
||||||
|
if !handler.enforceHost {
|
||||||
|
Log().Named("admin").Warn("admin endpoint on open interface; host checking disabled",
|
||||||
|
zap.String("address", addr.String()))
|
||||||
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
@ -271,6 +276,7 @@ type AdminRoute struct {
|
||||||
|
|
||||||
type adminHandler struct {
|
type adminHandler struct {
|
||||||
enforceOrigin bool
|
enforceOrigin bool
|
||||||
|
enforceHost bool
|
||||||
allowedOrigins []string
|
allowedOrigins []string
|
||||||
mux *http.ServeMux
|
mux *http.ServeMux
|
||||||
}
|
}
|
||||||
|
@ -292,12 +298,14 @@ func (h adminHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||||
// be called more than once per request, for example if a request
|
// be called more than once per request, for example if a request
|
||||||
// is rewritten (i.e. internal redirect).
|
// is rewritten (i.e. internal redirect).
|
||||||
func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) {
|
func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) {
|
||||||
|
if h.enforceHost {
|
||||||
// DNS rebinding mitigation
|
// DNS rebinding mitigation
|
||||||
err := h.checkHost(r)
|
err := h.checkHost(r)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
h.handleError(w, r, err)
|
h.handleError(w, r, err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if h.enforceOrigin {
|
if h.enforceOrigin {
|
||||||
// cross-site mitigation
|
// cross-site mitigation
|
||||||
|
|
10
listeners.go
10
listeners.go
|
@ -302,6 +302,16 @@ func (na NetworkAddress) isLoopback() bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (na NetworkAddress) isWildcardInterface() bool {
|
||||||
|
if na.Host == "" {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
if ip := net.ParseIP(na.Host); ip != nil {
|
||||||
|
return ip.IsUnspecified()
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
func (na NetworkAddress) port() string {
|
func (na NetworkAddress) port() string {
|
||||||
if na.StartPort == na.EndPort {
|
if na.StartPort == na.EndPort {
|
||||||
return strconv.FormatUint(uint64(na.StartPort), 10)
|
return strconv.FormatUint(uint64(na.StartPort), 10)
|
||||||
|
|
Loading…
Reference in a new issue