Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dnsdist: Implement an ACL in the internal web server #9229

Merged
merged 2 commits into from
Jun 17, 2020

Conversation

rgacogne
Copy link
Member

Short description

Implement the same kind of ACL for the internal web server that we have in the auth and rec, and restricts to 127.0.0.1 and ::1 by default.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

Otherwise we end up with an empty ACL (everything will be refused)
if the new one is not valid.
@rgacogne rgacogne merged commit a161449 into PowerDNS:master Jun 17, 2020
@rgacogne rgacogne deleted the dnsdist-webserver-allow-from branch June 17, 2020 09:09
Copy link
Member

@chbruyand chbruyand left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Maybe it would be good to clarify the acl input format though.

@@ -0,0 +1,22 @@
#pragma once
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe add the license header ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Didn't we stop adding it? I'm a bit lost on that topic to be fair :-)

@@ -9,6 +9,13 @@ To visually interact with dnsdist, try add :func:`webserver` to the configuratio

Now point your browser at http://127.0.0.1:8083 and log in with any username, and that password. Enjoy!

Since 1.5.0, only connections from 127.0.0.1 and ::1 are allowed by default. To allow connections from 192.0.2.1, instead:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is actually a list of netmasks. So this would probably be better to document here and after that it accepts various forms (eg. 192.0.2.1, 192.0.0.0/16, and even !192.0.0.0/16)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants