From 096b51567c2c7263d83e490cbaa9e20b7d628e83 Mon Sep 17 00:00:00 2001 From: Matthew McTague Date: Mon, 31 Jan 2022 10:29:11 +1300 Subject: [PATCH 01/12] cPanel deployment config --- .cpanel.yml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 .cpanel.yml diff --git a/.cpanel.yml b/.cpanel.yml new file mode 100644 index 0000000..c84bd0d --- /dev/null +++ b/.cpanel.yml @@ -0,0 +1,4 @@ +--- +deployment: + tasks: + - /bin/cp -R ./htdocs/* ~/public_html/ From 7e7a84e6634ab05abd3b99968023fd2442ff6d1e Mon Sep 17 00:00:00 2001 From: Matthew McTague Date: Fri, 11 Feb 2022 11:18:36 +1300 Subject: [PATCH 02/12] Public-facing LG - Added hiding of BGP summary and command line for public-facing LG's - Added safe subnets array to permit some subnets to view peer information - Added RADb to footer - Stopped hyperlinks being added for private ASNs - Minor code formatting changes --- htdocs/index.php | 175 +++++++++++++++++++++++++++++++---- htdocs/lg_config.php.example | 21 ++++- 2 files changed, 178 insertions(+), 18 deletions(-) diff --git a/htdocs/index.php b/htdocs/index.php index 32bea0f..a24743d 100644 --- a/htdocs/index.php +++ b/htdocs/index.php @@ -59,6 +59,8 @@ 'company' => 'My Company Name', 'logo' => 'lg_logo.gif', 'color' => '#E48559', + 'showpeerinfo' => 'TRUE', + 'safesubnet' => '', 'sshauthtype' => 'password', 'sshprivatekeypath' => '', 'sshpwdcommand' => 'plink', @@ -278,10 +280,76 @@ function load() { ), ); +# Test shell_exec to make sure it's available and working +if(trim(shell_exec('echo lgshellexectest')) != 'lgshellexectest') +{ + print '

shell_exec not enabled

'; + exit; +} + +# Test popen to make sure it's available and working +$popentest = ""; +$fp = popen('echo lgpopentest','r'); +while(!feof($fp)) + { + // send the current file part to the browser + $popentest .= trim(fread($fp, 1024)); + // flush the content to the browser + flush(); + } +fclose($fp); +$popentest = trim($popentest); +if($popentest != "lgpopentest") +{ + print '

popen not working

'; + exit; +} + +# Check if client IP is within safe subnets + +$ipsafe = false; +if(isset($_CONFIG['safesubnets']) AND ! empty($_CONFIG['safesubnets'])) +{ + foreach($_CONFIG['safesubnets'] as $safesubnet) + { + if(! empty($safesubnet)) + { + if(checkIP($_SERVER['REMOTE_ADDR'], $safesubnet)) + { + $ipsafe = true; + } + } + } +} + +if($ipsafe){ + if($command == 'graph' AND isset($_REQUEST['render']) AND $_REQUEST['render'] == true) + { + # Don't display + } + else + { + echo '
Your public IP is ' . $_SERVER['REMOTE_ADDR'] . ' and is within a safe subnet, therefore permitting display of peer information.

'; + } + +} + if (isset($_CONFIG['routers'][$router]) AND isset($queries[$_CONFIG['routers'][$router]['os']][$protocol]) AND (isset($queries[$_CONFIG['routers'][$router]['os']][$protocol][$command]) OR $command == 'graph')) { + if(!$ipsafe AND ($_CONFIG['showpeerinfo'] == "FALSE" OR $_CONFIG['routers'][$router]['showpeerinfo'] == "FALSE")) + { + switch ($command) + { + case "summary": + { + print '

Summary not permitted.

'; + exit; + break; + } + } + } if ($protocol == 'ipv6' AND (!isset($_CONFIG['routers'][$router]['ipv6']) OR $_CONFIG['routers'][$router]['ipv6'] !== TRUE)) { @@ -492,7 +560,12 @@ function load() { } else { - print '

Router: '.$_CONFIG['routers'][$router]['description'].'
Command: '.$exec.'

';
+			print '
Router: '.$_CONFIG['routers'][$router]['description'].'
';
+			if($ipsafe OR ($_CONFIG['routers'][$router]['showpeerinfo'] == "TRUE" OR ($_CONFIG['showpeerinfo'] == "TRUE" AND !isset($_CONFIG['routers'][$router]['showpeerinfo'])))){
+				print 'Command: '.$exec.'
';
+			} else {
+				print '
';
+			}
 			flush();
 
 			process($url, $exec);
@@ -516,7 +589,9 @@ function load() {
 					
                     
 					
+					
 					
+					
 					
 					
 					
@@ -552,7 +627,7 @@ function load() {
 ?>
 		

 		

-			
Information: RIPEstat he.net robtex.com PeeringDB

+			
Information: RIPEstat RADb he.net robtex.com PeeringDB

 			
Copyright ©  

 		

 	
@@ -671,7 +746,14 @@ function process($url, $exec, $return_buffer = FALSE)
 				{
 					$instance_list = parse_list($instance);
 
-					print 'BGP router identifier '.$instance_list['router-id'].', local AS number '.link_as($instance_list['as'])."\n";
+					if(! empty($instance_list['confederation']))
+					{
+						print 'BGP router identifier '.$instance_list['router-id'].', sub ' . link_as($instance_list['as'], true) . " within confederation " . link_as($instance_list['confederation'], true) . "\n";
+					}
+					else
+					{
+						print 'BGP router identifier '.$instance_list['router-id'].', local '.link_as($instance_list['as'])."\n";
+					}
 				}
 			}
 
@@ -700,7 +782,7 @@ function process($url, $exec, $return_buffer = FALSE)
 			{
 				@shell_exec('echo n | '.$ssh_path.' '.implode(' ', $params).' screen-length 0 temporary');
 			}*/
-
+			
 			if ($fp = @popen('echo n | '.$ssh_path.' '.implode(' ', $params).' '.$exec, 'r'))
 			{
 				while (!feof($fp))
@@ -2368,14 +2450,44 @@ function link_community($line)
 /**
  * Link to AS whois
  */
-function link_as($line, $word = FALSE)
+function link_as($line, $word = FALSE, $type = null)
 {
 	global $_CONFIG;
 
-	//print_r($line);
-	
-	return preg_replace("/(?:AS)?([\d]+)/is", 
-		"".($word ? 'AS' : '')."\\1", $line);
+	$asn = intval(preg_replace("/(?:AS)?([\d]+)/is", 
+	"$1", $line));
+
+	$url = null;
+	$publicasn = false;
+	if(($asn >= 1 AND $asn <= 23455) OR ($asn >= 23457 AND $asn <= 64495) OR ($asn >= 131072 AND $asn <= 4199999999)){
+		$publicasn = true;
+	}
+
+	if($word)
+	{
+		$asnword = "AS" . $asn;
+	}
+	else
+	{
+		$asnword = $asn;
+	}
+
+	if($publicasn AND $type == "url")
+	{
+		return htmlspecialchars($_CONFIG['aswhois']) . "AS" . $asn;
+	}
+	elseif($publicasn)
+	{
+		return '' . $asnword . '';
+	}
+	elseif($type == "url")
+	{
+		return null;
+	}
+	else
+	{
+		return $asnword;
+	}
 }
 
 function get_as($ip, $original_as)
@@ -2534,10 +2646,9 @@ function get_path_graph($router, $query, $as_pathes, $as_best_path, $format = 's
 		$color = isset($as_peer_list[$as_id]) ? ($as_peer_list[$as_id] ? '#CCFFCC' : '#CCCCFF') : 'white';
 
 		$asinfo = get_asinfo($as_id);
-
 		$graph->addNode($as_id, array
 		(
-			'URL' => $_CONFIG['aswhois'].$as_id,
+			'URL' => link_as($as_id, false, "url"),
 			'target' => '_blank',
 			'label' => isset($asinfo['description']) ? $as_id."\n".$asinfo['description'] : $as_id,
 			'style' => 'filled', 
@@ -2682,16 +2793,23 @@ function get_asinfo($request)
 	}
 
 	$segments = array_map('trim', explode('|', $dns[0]['txt'], 5));
-
+	
 	if (sizeof($segments) != 5)
 	{
 		return FALSE;
 	}
-
-	list($segments[4], $segments[5]) = explode(' ', $segments[4], 2);
-
+	if(strpos(explode(',', $segments[4], 2)[0], " "))
+	{
+		list($segments[4], $segments[5]) = explode(' ', $segments[4], 2);
+	}
+	else
+	{
+		$segments[5] = $segments[4];
+		$segments[4] = explode(',', $segments[4], 2)[0];
+	}
+	
 	$segments[5] = str_replace('_', '"', $segments[5]);
-
+	
 	return array
 	(
 		'asn' => $segments[0],
@@ -2829,6 +2947,31 @@ function group_routers($array)
 	return $return;
 }
 
+function checkIP($ip, $cidr)
+{
+	if (strpos($cidr, "/") !== false)
+	{
+		list($net, $mask) = explode("/", $cidr);
+   
+		$ip_net = ip2long ($net);
+		$ip_mask = ~((1 << (32 - $mask)) - 1);
+
+		$ip_ip = ip2long ($ip);
+
+		$ip_ip_net = $ip_ip & $ip_mask;
+
+		return ($ip_ip_net == $ip_net);
+	}
+	elseif (filter_var(trim($cidr), FILTER_VALIDATE_IP) == true AND $ip === $cidr)
+	{
+		return true;
+	}
+	else
+	{
+		return false;
+	}
+}
+
 // ------------------------------------------------------------------------
 
 /**
diff --git a/htdocs/lg_config.php.example b/htdocs/lg_config.php.example
index 40afe22..bb96396 100644
--- a/htdocs/lg_config.php.example
+++ b/htdocs/lg_config.php.example
@@ -24,6 +24,18 @@ $_CONFIG['logo'] = 'lg_logo.gif';
  */
 $_CONFIG['color'] = '#E48559';
 
+/*
+ * Should the LG show BGP peer information?
+ */
+$_CONFIG['showpeerinfo'] = 'TRUE';
+
+/*
+ * If 'showpeerinfo' above is TRUE, and you would like to show BGP peer information to visitors from a specific IPv4 address or subnet, add the IPv4 address or subnet (in CIDR format) to the array below
+ */
+$_CONFIG['safesubnets'] = array(
+	''
+);
+
 /*
  * SSH authentication type (`password` or `privatekey`)
  */
@@ -57,12 +69,12 @@ $_CONFIG['ssh'] = '/usr/bin/sshpass';
 /*
  * URL address of the IP whois service
  */
-$_CONFIG['ipwhois'] = 'http://noc.hsdn.org/whois/';
+$_CONFIG['ipwhois'] = 'https://www.radb.net/query?keywords=';
 
 /*
  * URL address of the AS whois service
  */
-$_CONFIG['aswhois'] = 'http://noc.hsdn.org/aswhois/';
+$_CONFIG['aswhois'] = 'https://www.radb.net/query?keywords=';
 
 /**
  * Router nodes
@@ -74,6 +86,7 @@ $_CONFIG['aswhois'] = 'http://noc.hsdn.org/aswhois/';
  *      pingtraceurl      - URL address for ping and traceroute tools (or FALSE)
  *      description       - Node description
  *      group             - Node group name (of FALSE)
+ *      showpeerinfo      - Should the LG show peer information? (TRUE / FALSE)
  *      ipv6              - Node supports IPv6 (TRUE/FALSE)
  *      os                - Node OS (ios, mikrotik, quagga, junos)
  */
@@ -85,6 +98,7 @@ $_CONFIG['routers'] = array
 		'pingtraceurl' => FALSE,
 		'description' => 'Example Router 1',
 		'group' => 'AS12345',
+		'showpeerinfo' => TRUE,
 		'ipv6' => TRUE,
 		'os' => 'ios',
 	),
@@ -95,6 +109,7 @@ $_CONFIG['routers'] = array
 		'pingtraceurl' => FALSE,
 		'description' => 'Example Router 2',
 		'group' => 'AS12345',
+		'showpeerinfo' => FALSE,
 		'ipv6' => TRUE,
 		'os' => 'ios',
 	),
@@ -105,6 +120,7 @@ $_CONFIG['routers'] = array
 		'pingtraceurl' => FALSE,
 		'description' => 'Example Router 3',
 		'group' => 'AS12345',
+		'showpeerinfo' => TRUE,
 		'ipv6' => TRUE,
 		'os' => 'mikrotik',
 	),
@@ -116,6 +132,7 @@ $_CONFIG['routers'] = array
 		'pingtraceurl' => FALSE,
 		'description' => 'Example Router 4',
 		'group' => 'AS12345',
+		'showpeerinfo' => FALSE,
 		'ipv6' => TRUE,
 		'os' => 'mikrotik',
 	),

From b6a2119ebceafe7bdbc94398dd9e3278b8352253 Mon Sep 17 00:00:00 2001
From: Matthew McTague 
Date: Fri, 11 Feb 2022 11:45:12 +1300
Subject: [PATCH 03/12] AS information in traceroute

- Fixed AS information in traceroute
- Improved safe subnets message
---
 htdocs/index.php | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/htdocs/index.php b/htdocs/index.php
index a24743d..c2ce0ce 100644
--- a/htdocs/index.php
+++ b/htdocs/index.php
@@ -329,7 +329,7 @@ function load() {
 	}
 	else
 	{
-		echo '
Your public IP is ' . $_SERVER['REMOTE_ADDR'] . ' and is within a safe subnet, therefore permitting display of peer information.

';
+		echo '
Your public IP is ' . $_SERVER['REMOTE_ADDR'] . ' and is within a safe subnet, therefore permitting display of peer information and command line.

';
 	}
 	
 }
@@ -1024,7 +1024,7 @@ function parse_out($output, $check = FALSE)
 	global $_CONFIG, $router, $protocol, $os, $command, $exec, $query, $index, $lastip, $best, $count, $str_in, $ros;
 
 	$output = str_replace("\r\n", "\n", $output);
-
+	
 	// MikroTik
 	if (preg_match("/^\/(ip|ipv6) route print detail/i", $exec) AND $os == 'mikrotik')
 	{
@@ -1221,7 +1221,7 @@ function ($matches) {
 
 			return 'traceroute to '.$query.' ('.get_ptr($query).'), 64 hops max, 60 byte packets'."\n";
 		}
-
+		
 		if ($index > 0)
 		{
 			$exp = explode(' ', preg_replace('/[\s\t]+/', ' ', trim($output)));
@@ -1241,11 +1241,12 @@ function ($matches) {
 			}
 			else
 			{
-				$radb = get_radb($exp[1]);
-
+				#$radb = get_radb($exp[1]);
+				$asn = get_as($exp[1], "15835");
 				$new_exp[1] = get_ptr($exp[1]);
 				$new_exp[2] = '('.$exp[1].')';
-				$new_exp[3] = '['.(isset($radb['origin']) ? 'AS '.link_as($radb['origin']) : '').']';
+				#$new_exp[3] = '['.(isset($radb['origin']) ? 'AS '.link_as($radb['origin']) : '').']';
+				$new_exp[3] = $asn;
 				$new_exp[4] = $exp[5].'ms';
 				$new_exp[5] = $exp[6].'ms';
 				$new_exp[6] = $exp[7].'ms';
@@ -2114,7 +2115,7 @@ function ($matches) {
 	if (preg_match("/^trace/", $exec))
 	{
 		$output = preg_replace("/\[AS0\]\s(.*)/", "\\1", $output);
-
+		
 		// IPv4
 		$output = preg_replace_callback(
 			"/(\[AS)(\d+)(\])\s(.*)(\))(.*)/",

From c501571a6473912015c7b4341fa8e184c03beba5 Mon Sep 17 00:00:00 2001
From: Matthew McTague 
Date: Thu, 17 Feb 2022 14:42:13 +1300
Subject: [PATCH 04/12] Stopped interfaces displaying in MikroTik routes from
 outside safe subnets

---
 htdocs/index.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/htdocs/index.php b/htdocs/index.php
index c2ce0ce..3bc4607 100644
--- a/htdocs/index.php
+++ b/htdocs/index.php
@@ -1021,7 +1021,7 @@ function process($url, $exec, $return_buffer = FALSE)
  */
 function parse_out($output, $check = FALSE)
 {
-	global $_CONFIG, $router, $protocol, $os, $command, $exec, $query, $index, $lastip, $best, $count, $str_in, $ros;
+	global $_CONFIG, $router, $protocol, $os, $command, $exec, $query, $index, $lastip, $best, $count, $str_in, $ros, $ipsafe;
 
 	$output = str_replace("\r\n", "\n", $output);
 	
@@ -1048,6 +1048,10 @@ function parse_out($output, $check = FALSE)
 		{
 			$data_exp = explode(' ', trim($summary_part), 3);
 
+			if(!$ipsafe){
+				$summary_part = preg_replace("/\svia\s\s?\S+/x", "", $summary_part);
+			}
+
 			$summary_part = preg_replace_callback(
 				"/bgp-as-path=\"([^\"]+)\"/x",
 				function ($matches) {

From 9018fd89eb52b76cfabac0c9a2ed27e03506aab4 Mon Sep 17 00:00:00 2001
From: Matthew McTague 
Date: Fri, 18 Feb 2022 09:14:24 +1300
Subject: [PATCH 05/12] Fixed MikroTik AS Path for compatibility with BGP
 Confederation

---
 htdocs/index.php | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/htdocs/index.php b/htdocs/index.php
index 3bc4607..f3765a2 100644
--- a/htdocs/index.php
+++ b/htdocs/index.php
@@ -1051,14 +1051,30 @@ function parse_out($output, $check = FALSE)
 			if(!$ipsafe){
 				$summary_part = preg_replace("/\svia\s\s?\S+/x", "", $summary_part);
 			}
-
-			$summary_part = preg_replace_callback(
-				"/bgp-as-path=\"([^\"]+)\"/x",
-				function ($matches) {
-					return stripslashes('bgp-as-path=\"'.link_as($matches[1]).'\"');
-				},
-				$summary_part
-			);
+			$matches = null;
+			preg_match('/bgp-as-path\=\"([^\"]+)\"/', $summary_part, $matches);
+			if(! empty($matches[1])){
+				$aspathmatches = array();
+				$aspathOriginal = $matches[0];
+				$aspathOriginal = str_replace('"', '\"', $aspathOriginal);
+				$summary_part = str_replace($matches[0], $aspathOriginal, $summary_part);
+				$aspath = $aspathOriginal;
+				preg_match_all("/((?:\d+)+)/", $aspath, $matches);
+				$asns = null;
+				$asns = $matches[1];
+				$matchCount = 0;
+				if(! empty($asns)){
+					foreach($matches[1] as $m){
+						if(empty($aspathmatches[$m])){
+							$aspathmatches[$m] = link_as($m);
+						}
+					}
+					if(!empty($aspathmatches)){
+						$aspath = str_replace(array_keys($aspathmatches), array_values($aspathmatches), $aspath);
+						$summary_part = str_replace($aspathOriginal, stripslashes($aspath), $summary_part);
+					}
+				}
+			}
 
 			if (strpos($data_exp[1], 'A') !== FALSE)
 			{

From 679998db46815db8c33802bcc06a4bfdae8b1628 Mon Sep 17 00:00:00 2001
From: Matthew McTague 
Date: Fri, 18 Feb 2022 09:24:23 +1300
Subject: [PATCH 06/12] Changed safe subnets message

---
 htdocs/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/index.php b/htdocs/index.php
index f3765a2..285f1f1 100644
--- a/htdocs/index.php
+++ b/htdocs/index.php
@@ -329,7 +329,7 @@ function load() {
 	}
 	else
 	{
-		echo '
Your public IP is ' . $_SERVER['REMOTE_ADDR'] . ' and is within a safe subnet, therefore permitting display of peer information and command line.

';
+		echo '
Your public IP is ' . $_SERVER['REMOTE_ADDR'] . ' and is within a safe subnet, therefore permitting display of peer information, interface names, and command line.

';
 	}
 	
 }

From a0505e5ad929ed32b03a13111523620597bc8b60 Mon Sep 17 00:00:00 2001
From: Joshua Williams 
Date: Fri, 27 Jan 2023 11:16:43 +1300
Subject: [PATCH 07/12] Implemented recaptcha v3, minor bug fixes

---
 htdocs/.gitignore            |   1 +
 htdocs/backend.php           | 123 +++++++++++++++++++++++++++++++++++
 htdocs/forbidden.php         |  17 +++++
 htdocs/index.php             |  99 ++++++++++++++++++++++++++--
 htdocs/lg_config.php.example |  25 +++++++
 5 files changed, 259 insertions(+), 6 deletions(-)
 create mode 100644 htdocs/backend.php
 create mode 100644 htdocs/forbidden.php

diff --git a/htdocs/.gitignore b/htdocs/.gitignore
index ed222e1..14a2edf 100644
--- a/htdocs/.gitignore
+++ b/htdocs/.gitignore
@@ -1 +1,2 @@
 lg_config.php
+*.png
\ No newline at end of file
diff --git a/htdocs/backend.php b/htdocs/backend.php
new file mode 100644
index 0000000..8d3fccf
--- /dev/null
+++ b/htdocs/backend.php
@@ -0,0 +1,123 @@
+ 503,
+                "response" => json_decode(curl_error($ch), true)
+            );
+        }
+        curl_close($ch);
+        if(! empty($status)){
+            if($status < 400){
+                return array(
+                    "status" => $status,
+                    "response" => json_decode($data, true)
+                );
+            } else {
+                return array(
+                    "status" => $status,
+                    "response" => json_decode($data, true)
+                );
+            }
+        } else {
+            return array(
+                "status" => $status,
+                "response" => json_decode($data, true)
+            );
+        }
+    } elseif($action == "post"){
+        $encodedPostData = http_build_query($postdata);
+        $ch = curl_init();
+        curl_setopt($ch, CURLOPT_SSLVERSION, 6);
+        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
+        curl_setopt($ch, CURLOPT_URL, $url);
+        curl_setopt($ch, CURLOPT_POSTFIELDS, $encodedPostData);
+        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, "3");
+        curl_setopt($ch, CURLOPT_TIMEOUT, "3");
+        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+        curl_setopt($ch, CURLOPT_VERBOSE, true);
+        $data = curl_exec($ch);
+        $status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+        if(curl_error($ch)){
+            return array(
+                "status" => 503,
+                "response" => json_decode(curl_error($ch), true)
+            );
+        }
+        curl_close($ch);
+        if(! empty($status)){
+            if($status < 400){
+                return array(
+                    "status" => $status,
+                    "response" => json_decode($data, true)
+                );
+            } else {
+                return array(
+                    "status" => $status,
+                    "response" => json_decode($data, true)
+                );
+            }
+        } else {
+            return array(
+                "status" => $status,
+                "response" => json_decode($data, true)
+            );
+        }
+    } else {
+        return array(
+            "status" => 400,
+            "response" => null
+        );
+    }
+}
+
+function verifyToken($token){
+    global $_CONFIG;
+    $url = $_CONFIG['recaptchaBackendVerifyURL'];
+    $headers = array(
+        "Content-Type: application/x-www-form-urlencoded"
+    );
+    return curlCall($url, $headers, "post", [
+        "secret" => $_CONFIG['recaptchaSiteSecret'],
+        "response" => $token
+    ]);
+}
+
+$request = json_decode(file_get_contents('php://input'), true);
+$token = "";
+
+if(isset($request['token'])){
+    $token = $request['token'];
+}
+
+$response = verifyToken($token);
+
+if($response){
+    echo json_encode($response, JSON_PRETTY_PRINT);
+} else {
+    var_dump($response);
+}
+
+
+
+?>
\ No newline at end of file
diff --git a/htdocs/forbidden.php b/htdocs/forbidden.php
new file mode 100644
index 0000000..031f7a6
--- /dev/null
+++ b/htdocs/forbidden.php
@@ -0,0 +1,17 @@
+
+
+    
+        
+            
403 Forbidden

+            
Capatcha was not completed, redirecting...

+        
+    
+    
+
\ No newline at end of file
diff --git a/htdocs/index.php b/htdocs/index.php
index a0f3017..bb22beb 100644
--- a/htdocs/index.php
+++ b/htdocs/index.php
@@ -59,6 +59,11 @@
 	'company' => 'My Company Name',
 	'logo' => 'lg_logo.gif',
 	'color' => '#E48559',
+	'recaptchaEnabled' => false,
+	'recaptchaFrontendURL' => 'https://www.google.com/recaptcha/api.js?render=',
+	'recaptchaBackendVerifyURL' => 'https://www.google.com/recaptcha/api/siteverify',
+	'recaptchaSiteKey' => "",
+	'recaptchaSiteSecret' => "",
 	'showpeerinfo' => 'TRUE',
 	'safesubnet' => '',
     'sshauthtype' => 'password',
@@ -83,6 +88,8 @@
 $protocol = isset($_REQUEST['protocol']) ? trim($_REQUEST['protocol']) : FALSE;
 $command = isset($_REQUEST['command']) ? trim($_REQUEST['command']) : FALSE;
 $query = isset($_REQUEST['query']) ? trim($_REQUEST['query']) : FALSE;
+$token = isset($_REQUEST['token']) ? trim($_REQUEST['token']) : FALSE;
+
 
 if ($command != 'graph' OR !isset($_REQUEST['render']) OR !isset($_CONFIG['routers'][$router]))
 {
@@ -129,6 +136,21 @@ function load() {
 			}
 		//-->
 		
+
+			
+				
+
+  
 	
 	
 
@@ -371,7 +393,7 @@ function load() {
 
 	$url = @parse_url($url);
 
-	$routing_instance = $_CONFIG['routers'][$router]['routing-instance'];
+	$routing_instance = isset($_CONFIG['routers']) AND isset($_CONFIG['routers'][$router]) AND isset($_CONFIG['routers'][$router]['routing-instance']) ? $_CONFIG['routers'][$router]['routing-instance'] : null;
 
 	$os = $_CONFIG['routers'][$router]['os'];
 
@@ -597,7 +619,7 @@ function load() {
 		else
 		{
 			print '
Router: '.$_CONFIG['routers'][$router]['description'].'
';
-			if($ipsafe OR ($_CONFIG['routers'][$router]['showpeerinfo'] == "TRUE" OR ($_CONFIG['showpeerinfo'] == "TRUE" AND !isset($_CONFIG['routers'][$router]['showpeerinfo'])))){
+			if($ipsafe OR (isset($_CONFIG['routers'][$router]) AND isset($_CONFIG['routers'][$router]['showpeerinfo']) AND $_CONFIG['routers'][$router]['showpeerinfo'] == "TRUE") OR (isset($_CONFIG['showpeerinfo']) AND $_CONFIG['showpeerinfo'] == "TRUE" AND !isset($_CONFIG['routers'][$router]['showpeerinfo']))){
 				print 'Command: '.$exec.'
';
 			} else {
 				print '
';
@@ -616,7 +638,7 @@ function load() {
 
 // HTML form
 ?>
-		

+		
 		

 			
@@ -625,7 +647,7 @@ function load() {
 					
-					
+					
@@ -652,7 +674,12 @@ function load() {
 
-				
+				
+
 			

 				
Type of QueryAdditional parametersNode

                     

 					

 					

 					
 					

 
 				
 | 

+					onclick="captcha(event, document.theForm.command.value, document.theForm.protocol.value, document.theForm.router.value, document.theForm.query.value)"
+   
+					> | 

 		

 		

@@ -677,7 +704,7 @@ function load() {
  */
 function process($url, $exec, $return_buffer = FALSE)
 {
-	global $_CONFIG, $router, $protocol, $os, $command, $query, $ros;
+	global $_SERVER, $_CONFIG, $router, $protocol, $os, $command, $query, $ros, $token;
 
     $sshauthtype = null;
 	$buffer = '';
@@ -685,6 +712,19 @@ function process($url, $exec, $return_buffer = FALSE)
 	$index = 0;
 	$str_in = array();
 
+	$urlProtocol = isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) ? 'https' : 'http';
+	$curlUrl = $urlProtocol . "://" . $_SERVER['SERVER_NAME'] . "/backend.php";
+
+	if($_CONFIG['recaptchaEnabled'] === true) {
+		$result = verifyToken($curlUrl, $token);
+		if($result == false) {
+			echo "";
+			exit;
+		}	
+	}
+
+// do processing for the $response
+
 	switch ($url['scheme'])
 	{
 		case 'ssh':
@@ -1052,6 +1092,53 @@ function process($url, $exec, $return_buffer = FALSE)
 	flush();
 }
 
+function verifyToken($url, $token){
+    $headers = array(
+        "Content-Type: application/json"
+    );
+    $ch = curl_init();
+    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
+    #curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);
+    curl_setopt($ch, CURLOPT_URL, $url);
+    curl_setopt($ch, CURLOPT_POST, true);
+    curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(["token" => $token]));
+    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, "1");
+    curl_setopt($ch, CURLOPT_TIMEOUT, "3");
+    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+    curl_setopt($ch, CURLOPT_VERBOSE, true);
+
+    $data = curl_exec($ch);
+    $status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+    if(curl_error($ch)){
+        # die(var_dump(curl_error($ch)));
+		return false;
+    }
+    curl_close($ch);
+
+    if($status > 300){
+        # die(var_dump($status) . var_dump($data)));
+		return false;
+    }
+    if(!$data){
+        # die(var_dump($status) . var_dump($data)));
+		return false;
+    }
+    $decodedData = json_decode($data, true);
+    if($decodedData['status'] !== 200){
+        # die(var_dump($decodedData));
+		return false;
+    }
+	if(!$decodedData['response']){
+		# die(var_dump($decodedData));
+		return false;
+	}
+	if($decodedData['response']['success'] !== true){
+		# die(var_dump($decodedData));
+		return false;
+	}
+	return true;
+}
+
 /**
  * Parse output contents
  */
diff --git a/htdocs/lg_config.php.example b/htdocs/lg_config.php.example
index bb96396..7896a03 100644
--- a/htdocs/lg_config.php.example
+++ b/htdocs/lg_config.php.example
@@ -24,6 +24,31 @@ $_CONFIG['logo'] = 'lg_logo.gif';
  */
 $_CONFIG['color'] = '#E48559';
 
+/*
+ * Enable reCAPTCHA v3
+ */
+$_CONFIG['recaptchaEnabled'] = false;
+
+/*
+ * reCAPTCHA v3 Frontend URL
+ */
+$_CONFIG['recaptchaFrontendURL'] = 'https://www.google.com/recaptcha/api.js?render=';
+
+/*
+ * reCAPTCHA v3 Backend Verify URL
+ */
+$_CONFIG['recaptchaBackendVerifyURL'] = 'https://www.google.com/recaptcha/api/siteverify';
+
+/*
+ * reCAPTCHA v3 Site Key
+ */
+$_CONFIG['recaptchaSiteKey'] = '';
+
+/*
+ * reCAPTCHA v3 Site Secret
+ */
+$_CONFIG['recaptchaSiteSecret'] = '';
+
 /*
  * Should the LG show BGP peer information?
  */

From 9aae409a5bded4c84c0ba1f1ffa7a058ffb28cd1 Mon Sep 17 00:00:00 2001
From: Joshua Williams 
Date: Fri, 27 Jan 2023 11:41:16 +1300
Subject: [PATCH 08/12] Bug fixes

---
 htdocs/index.php | 15 +++++++--------
 keys/.gitignore  |  2 --
 2 files changed, 7 insertions(+), 10 deletions(-)
 delete mode 100644 keys/.gitignore

diff --git a/htdocs/index.php b/htdocs/index.php
index bb22beb..4bd9a1b 100644
--- a/htdocs/index.php
+++ b/htdocs/index.php
@@ -154,7 +154,7 @@ function captcha(event, command, protocol, router, query ) {
 	
 	
 
-		
lg

+		
lg

 
 		
AS Looking Glass

 		

@@ -1098,7 +1098,6 @@ function verifyToken($url, $token){
     );
     $ch = curl_init();
     curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
-    #curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);
     curl_setopt($ch, CURLOPT_URL, $url);
     curl_setopt($ch, CURLOPT_POST, true);
     curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(["token" => $token]));
@@ -1110,30 +1109,30 @@ function verifyToken($url, $token){
     $data = curl_exec($ch);
     $status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
     if(curl_error($ch)){
-        # die(var_dump(curl_error($ch)));
+        #var_dump(curl_error($ch)); exit;
 		return false;
     }
     curl_close($ch);
 
     if($status > 300){
-        # die(var_dump($status) . var_dump($data)));
+        #var_dump($status) . var_dump($data); exit;
 		return false;
     }
     if(!$data){
-        # die(var_dump($status) . var_dump($data)));
+        #var_dump($status) . var_dump($data); exit;
 		return false;
     }
     $decodedData = json_decode($data, true);
     if($decodedData['status'] !== 200){
-        # die(var_dump($decodedData));
+        #var_dump($decodedData); exit;
 		return false;
     }
 	if(!$decodedData['response']){
-		# die(var_dump($decodedData));
+		#var_dump($decodedData); exit;
 		return false;
 	}
 	if($decodedData['response']['success'] !== true){
-		# die(var_dump($decodedData));
+		#var_dump($decodedData); exit;
 		return false;
 	}
 	return true;
diff --git a/keys/.gitignore b/keys/.gitignore
deleted file mode 100644
index c96a04f..0000000
--- a/keys/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-*
-!.gitignore
\ No newline at end of file

From ab0e981e24432feda381d62e3524de6a4ba084df Mon Sep 17 00:00:00 2001
From: Joshua Williams 
Date: Fri, 27 Jan 2023 11:44:04 +1300
Subject: [PATCH 09/12] Fixed gitignore in htdocs

---
 htdocs/.gitignore | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/htdocs/.gitignore b/htdocs/.gitignore
index 14a2edf..f94f394 100644
--- a/htdocs/.gitignore
+++ b/htdocs/.gitignore
@@ -1,2 +1,6 @@
 lg_config.php
-*.png
\ No newline at end of file
+!lg_logo.gif
+*.gif
+*.jpg
+*.jpeg
+*.png

From 2d9615bbef50d552a6111406f2d9d8548b0c4158 Mon Sep 17 00:00:00 2001
From: Joshua Williams 
Date: Fri, 27 Jan 2023 11:46:28 +1300
Subject: [PATCH 10/12] Fixed wording in forbidden page

---
 htdocs/forbidden.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/forbidden.php b/htdocs/forbidden.php
index 031f7a6..90a8346 100644
--- a/htdocs/forbidden.php
+++ b/htdocs/forbidden.php
@@ -6,7 +6,7 @@
     
         
             
403 Forbidden

-            
Capatcha was not completed, redirecting...

+            
reCAPTCHA was unsuccessful or expired, redirecting...