admin: Disable host checking if wildcard interface is specified

To clarify, listening on wildcard interfaces is NOT the default and
should only be done under certain circumstances and when you know
what you're doing. Emits a warning in the log.

Fixes https://github.com/caddyserver/caddy-docker/issues/71
This commit is contained in:
Matthew Holt 2020-04-16 11:41:32 -06:00
parent 829e36d535
commit f5ccb904a3
No known key found for this signature in database
GPG key ID: 2A349DD577D586A5
2 changed files with 31 additions and 13 deletions

View file

@ -60,10 +60,11 @@ type AdminConfig struct {
// default. // default.
EnforceOrigin bool `json:"enforce_origin,omitempty"` EnforceOrigin bool `json:"enforce_origin,omitempty"`
// The list of allowed origins for API requests. Only used if // The list of allowed origins/hosts for API requests. Only needed
// `enforce_origin` is true. If not set, the listener address // if accessing the admin endpoint from a host different from the
// will be the default value. If set but empty, no origins will // socket's network interface or if `enforce_origin` is true. If not
// be allowed. // set, the listener address will be the default value. If set but
// empty, no origins will be allowed.
Origins []string `json:"origins,omitempty"` Origins []string `json:"origins,omitempty"`
// Options related to configuration management. // Options related to configuration management.
@ -99,6 +100,7 @@ func (admin AdminConfig) listenAddr() (NetworkAddress, error) {
func (admin AdminConfig) newAdminHandler(addr NetworkAddress) adminHandler { func (admin AdminConfig) newAdminHandler(addr NetworkAddress) adminHandler {
muxWrap := adminHandler{ muxWrap := adminHandler{
enforceOrigin: admin.EnforceOrigin, enforceOrigin: admin.EnforceOrigin,
enforceHost: !addr.isWildcardInterface(),
allowedOrigins: admin.allowedOrigins(addr), allowedOrigins: admin.allowedOrigins(addr),
mux: http.NewServeMux(), mux: http.NewServeMux(),
} }
@ -234,12 +236,15 @@ func replaceAdmin(cfg *Config) error {
go adminServer.Serve(ln) go adminServer.Serve(ln)
Log().Named("admin").Info( Log().Named("admin").Info("admin endpoint started",
"admin endpoint started",
zap.String("address", addr.String()), zap.String("address", addr.String()),
zap.Bool("enforce_origin", adminConfig.EnforceOrigin), zap.Bool("enforce_origin", adminConfig.EnforceOrigin),
zap.Strings("origins", handler.allowedOrigins), zap.Strings("origins", handler.allowedOrigins))
)
if !handler.enforceHost {
Log().Named("admin").Warn("admin endpoint on open interface; host checking disabled",
zap.String("address", addr.String()))
}
return nil return nil
} }
@ -271,6 +276,7 @@ type AdminRoute struct {
type adminHandler struct { type adminHandler struct {
enforceOrigin bool enforceOrigin bool
enforceHost bool
allowedOrigins []string allowedOrigins []string
mux *http.ServeMux mux *http.ServeMux
} }
@ -292,12 +298,14 @@ func (h adminHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// be called more than once per request, for example if a request // be called more than once per request, for example if a request
// is rewritten (i.e. internal redirect). // is rewritten (i.e. internal redirect).
func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) { func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) {
if h.enforceHost {
// DNS rebinding mitigation // DNS rebinding mitigation
err := h.checkHost(r) err := h.checkHost(r)
if err != nil { if err != nil {
h.handleError(w, r, err) h.handleError(w, r, err)
return return
} }
}
if h.enforceOrigin { if h.enforceOrigin {
// cross-site mitigation // cross-site mitigation

View file

@ -302,6 +302,16 @@ func (na NetworkAddress) isLoopback() bool {
return false return false
} }
func (na NetworkAddress) isWildcardInterface() bool {
if na.Host == "" {
return true
}
if ip := net.ParseIP(na.Host); ip != nil {
return ip.IsUnspecified()
}
return false
}
func (na NetworkAddress) port() string { func (na NetworkAddress) port() string {
if na.StartPort == na.EndPort { if na.StartPort == na.EndPort {
return strconv.FormatUint(uint64(na.StartPort), 10) return strconv.FormatUint(uint64(na.StartPort), 10)