-
Notifications
You must be signed in to change notification settings - Fork 0
security admin authentication
You will learn how admin authentication works, why it defaults to fail-closed, and how to configure it safely.
By default, admin authentication is enabled. The daemon expects HTTP Basic Auth credentials from environment variables:
export UPDATE_IPSETS_ADMIN_USER=admin
export UPDATE_IPSETS_ADMIN_PASSWORD=your-secret-passwordAccess the admin UI and API with those credentials:
curl -u "$UPDATE_IPSETS_ADMIN_USER:$UPDATE_IPSETS_ADMIN_PASSWORD" http://localhost:18888/api/v1/admin/statusBrowser access opens a standard Basic Auth prompt.
If the credentials are missing or empty, admin access is denied entirely. The daemon does not fall back to open access. This prevents accidental exposure from:
- Forgetting to set the environment variables
- Setting only one of the two variables
- Setting an empty password
When auth is required and either variable is missing, admin endpoints return
503 Service Unavailable. When credentials are configured but the request uses
the wrong username or password, admin endpoints return 401 Unauthorized.
Disabling authentication requires two explicit flags:
--admin-auth-mode=disabled --allow-unauthenticated-adminBoth flags are required. Setting only --admin-auth-mode=disabled without --allow-unauthenticated-admin still blocks admin access.
A single typo in the configuration should not expose the admin surface. If --admin-auth-mode=disabled were sufficient on its own, a misspelled flag value or an unintended config deploy could open the admin UI to the world.
The second flag acts as an explicit acknowledgment: you understand that the admin surface is unprotected.
Setting --admin-auth-mode=disabled without --allow-unauthenticated-admin:
# This does NOT start the daemon
update-ipsets daemon --admin-auth-mode=disabledThe daemon exits with a configuration error because it treats disabled auth without the second flag as a misconfiguration, not as an intentional choice.
Running the admin listener on 127.0.0.1 (loopback only) does not make unauthenticated admin safe. The daemon does not infer safety from the bind address.
Reasons loopback is not sufficient:
- Other processes on the same host can reach it
- SSRF vulnerabilities in co-hosted applications can reach it
- DNS rebinding attacks can redirect browser requests to loopback
Use authentication even on loopback, unless you are in a controlled lab environment.
Set credentials in a systemd drop-in:
# /etc/systemd/system/update-ipsets.service.d/credentials.conf
[Service]
Environment="UPDATE_IPSETS_ADMIN_USER=admin"
Environment="UPDATE_IPSETS_ADMIN_PASSWORD=your-secret-password"Avoid putting credentials in the ExecStart= line — they would be visible in the process list.
After editing:
sudo systemctl daemon-reload
sudo systemctl restart update-ipsetsTest with correct credentials:
curl -u "$UPDATE_IPSETS_ADMIN_USER:$UPDATE_IPSETS_ADMIN_PASSWORD" http://localhost:18889/api/v1/admin/statusShould return JSON status.
Test with wrong credentials:
curl -u "$UPDATE_IPSETS_ADMIN_USER:$WRONG_UPDATE_IPSETS_ADMIN_PASSWORD" http://localhost:18889/api/v1/admin/statusShould return 401.
- Daemon Command Reference
- Environment Variables
- Configuration Reload
- Listener Topologies
- Admin Authentication
- Feed Families
- Source Feeds
- Processor Reference
- Static Feeds
- Merge Feeds
- Artifact Parents
- History Derivatives
- Provider Databases
- Use Roles
- Critical Infrastructure Reference Feeds
- Legal Fields
- Feed Visibility & Lifecycle
- YAML Field Reference
- Pipeline Overview
- Download Lifecycle
- Processing Lifecycle
- Feed Status Reference
- Health Classes
- What Triggers Reprocessing
- Accessing the Admin
- Runtime Status
- Feed Inventory
- Artifact Inventory
- Live Queues
- Background Work
- Schedule State
- Operator Actions
- Enable & Disable