feat(userspace/falco): implement configuration of webserver listening

address Currently the webserver is listening on the hard coded 0.0.0.0. This patch keeps this default but allows the administrator to change it. Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
falcosecurity · Oct 26, 2023 · 5e5d761 · 5e5d761
1 parent 1609ee8
commit 5e5d761
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 3 deletions.
diff --git a/falco.yaml b/falco.yaml
@@ -492,6 +492,7 @@ webserver:
   # the appropriate number of threads based on the number of online cores in the system.
   threadiness: 0
   listen_port: 8765
+  listen_address: 0.0.0.0
   k8s_healthz_endpoint: /healthz
   ssl_enabled: false
   ssl_certificate: /etc/falco/falco.pem

diff --git a/userspace/falco/app/actions/start_webserver.cpp b/userspace/falco/app/actions/start_webserver.cpp
@@ -38,14 +38,17 @@ falco::app::run_result falco::app::actions::start_webserver(falco::app::state& s
 		std::string ssl_option = (s.config->m_webserver_ssl_enabled ? " (SSL)" : "");
 		falco_logger::log(LOG_INFO, "Starting health webserver with threadiness "
 			+ std::to_string(s.config->m_webserver_threadiness)
-			+ ", listening on port "
+			+ ", listening on "
+			+ s.config->m_webserver_listen_address
+			+ ":"
 			+ std::to_string(s.config->m_webserver_listen_port)
 			+ ssl_option + "\n");
 
 		s.webserver.start(
 			s.offline_inspector,
 			s.config->m_webserver_threadiness,
 			s.config->m_webserver_listen_port, 
+			s.config->m_webserver_listen_address,
 			s.config->m_webserver_k8s_healthz_endpoint,
 			s.config->m_webserver_ssl_certificate, 
 			s.config->m_webserver_ssl_enabled);

diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp
@@ -31,6 +31,11 @@ limitations under the License.
 #include "configuration.h"
 #include "logger.h"
 
+#include <re2/re2.h>
+
+static re2::RE2 ipv4_address_re("^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$");
+
+
 falco_configuration::falco_configuration():
 	m_json_output(false),
 	m_json_include_output_property(true),
@@ -46,6 +51,7 @@ falco_configuration::falco_configuration():
 	m_webserver_enabled(false),
 	m_webserver_threadiness(0),
 	m_webserver_listen_port(8765),
+	m_webserver_listen_address("0.0.0.0"),
 	m_webserver_k8s_healthz_endpoint("/healthz"),
 	m_webserver_ssl_enabled(false),
 	m_syscall_evt_drop_threshold(.1),
@@ -285,6 +291,12 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h
 	m_webserver_enabled = config.get_scalar<bool>("webserver.enabled", false);
 	m_webserver_threadiness = config.get_scalar<uint32_t>("webserver.threadiness", 0);
 	m_webserver_listen_port = config.get_scalar<uint32_t>("webserver.listen_port", 8765);
+	m_webserver_listen_address = config.get_scalar<std::string>("webserver.listen_address", "0.0.0.0");
+	if(!re2::RE2::FullMatch(m_webserver_listen_address, ipv4_address_re))
+	{
+		throw std::logic_error("Error reading config file (" + config_name + "): webserver listen address \"" + m_webserver_listen_address + "\" is not a valid IP address");
+	}
+
 	m_webserver_k8s_healthz_endpoint = config.get_scalar<std::string>("webserver.k8s_healthz_endpoint", "/healthz");
 	m_webserver_ssl_enabled = config.get_scalar<bool>("webserver.ssl_enabled", false);
 	m_webserver_ssl_certificate = config.get_scalar<std::string>("webserver.ssl_certificate", "/etc/falco/falco.pem");

diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h
@@ -85,6 +85,7 @@ class falco_configuration
 	bool m_webserver_enabled;
 	uint32_t m_webserver_threadiness;
 	uint32_t m_webserver_listen_port;
+	std::string m_webserver_listen_address;
 	std::string m_webserver_k8s_healthz_endpoint;
 	bool m_webserver_ssl_enabled;
 	std::string m_webserver_ssl_certificate;

diff --git a/userspace/falco/webserver.cpp b/userspace/falco/webserver.cpp
@@ -29,6 +29,7 @@ void falco_webserver::start(
         const std::shared_ptr<sinsp>& inspector,
         uint32_t threadiness,
         uint32_t listen_port,
+        std::string& listen_address,
         std::string& healthz_endpoint,
         std::string &ssl_certificate,
         bool ssl_enabled)
@@ -77,11 +78,11 @@ void falco_webserver::start(
 
     std::atomic<bool> failed;
     failed.store(false, std::memory_order_release);
-    m_server_thread = std::thread([this, listen_port, &failed]
+    m_server_thread = std::thread([this, listen_address, listen_port, &failed]
     {
         try
         {
-            this->m_server->listen("0.0.0.0", listen_port);
+            this->m_server->listen(listen_address, listen_port);
         }
         catch(std::exception &e)
         {

diff --git a/userspace/falco/webserver.h b/userspace/falco/webserver.h
@@ -37,6 +37,7 @@ class falco_webserver
 		const std::shared_ptr<sinsp>& inspector,
 		uint32_t threadiness,
 		uint32_t listen_port,
+		std::string& list_address,
 		std::string& healthz_endpoint,
 		std::string &ssl_certificate,
 		bool ssl_enabled);