diff options
| author | John Estabrook <jestabro@vyos.io> | 2023-03-29 19:48:52 -0500 |
|---|---|---|
| committer | John Estabrook <jestabro@vyos.io> | 2023-03-31 12:14:56 -0500 |
| commit | 11b1d043310833447ddeea3b68fba2a1d1f5799d (patch) | |
| tree | 2789494d62355cdd0648a0084b7a97aa70d8bea1 | |
| parent | 11ace86f58261908f1ab15366b73aeddb14745c9 (diff) | |
| download | vyos-1x-11b1d043310833447ddeea3b68fba2a1d1f5799d.tar.gz vyos-1x-11b1d043310833447ddeea3b68fba2a1d1f5799d.zip | |
http-api: T5126: allow restricting client IP address
| -rw-r--r-- | data/templates/https/nginx.default.j2 | 6 | ||||
| -rw-r--r-- | interface-definitions/https.xml.in | 1 | ||||
| -rw-r--r-- | interface-definitions/include/allow-client.xml.i | 33 | ||||
| -rwxr-xr-x | src/conf_mode/https.py | 2 |
4 files changed, 42 insertions, 0 deletions
diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2 index d42b3b389..b541ff309 100644 --- a/data/templates/https/nginx.default.j2 +++ b/data/templates/https/nginx.default.j2 @@ -50,6 +50,12 @@ server { {% else %} return 503; {% endif %} +{% if server.allow_client %} +{% for client in server.allow_client %} + allow {{ client }}; +{% endfor %} + deny all; +{% endif %} } error_page 497 =301 https://$host:{{ server.port }}$request_uri; diff --git a/interface-definitions/https.xml.in b/interface-definitions/https.xml.in index 6adb07598..cf30ab2be 100644 --- a/interface-definitions/https.xml.in +++ b/interface-definitions/https.xml.in @@ -60,6 +60,7 @@ <multi/> </properties> </leafNode> + #include <include/allow-client.xml.i> </children> </tagNode> <node name="api" owner="${vyos_conf_scripts_dir}/http-api.py"> diff --git a/interface-definitions/include/allow-client.xml.i b/interface-definitions/include/allow-client.xml.i new file mode 100644 index 000000000..03a0b3ff8 --- /dev/null +++ b/interface-definitions/include/allow-client.xml.i @@ -0,0 +1,33 @@ + <node name="allow-client"> + <properties> + <help>Restrict to allowed IP client addresses</help> + </properties> + <children> + <leafNode name="address"> + <properties> + <help>Allowed IP client addresses</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>IPv6 address</description> + </valueHelp> + <valueHelp> + <format>ipv4net</format> + <description>IPv4 address and prefix length</description> + </valueHelp> + <valueHelp> + <format>ipv6net</format> + <description>IPv6 address and prefix length</description> + </valueHelp> + <constraint> + <validator name="ip-address"/> + <validator name="ip-cidr"/> + </constraint> + <multi/> + </properties> + </leafNode> + </children> + </node> diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py index ce5e63928..b0c38e8d3 100755 --- a/src/conf_mode/https.py +++ b/src/conf_mode/https.py @@ -159,6 +159,8 @@ def generate(https): server_block['port'] = data.get('listen-port', '443') name = data.get('server-name', ['_']) server_block['name'] = name + allow_client = data.get('allow-client', {}) + server_block['allow_client'] = allow_client.get('address', []) server_block_list.append(server_block) # get certificate data |