summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Estabrook <jestabro@vyos.io>2023-03-29 19:48:52 -0500
committerJohn Estabrook <jestabro@vyos.io>2023-03-31 12:14:56 -0500
commit11b1d043310833447ddeea3b68fba2a1d1f5799d (patch)
tree2789494d62355cdd0648a0084b7a97aa70d8bea1
parent11ace86f58261908f1ab15366b73aeddb14745c9 (diff)
downloadvyos-1x-11b1d043310833447ddeea3b68fba2a1d1f5799d.tar.gz
vyos-1x-11b1d043310833447ddeea3b68fba2a1d1f5799d.zip
http-api: T5126: allow restricting client IP address
-rw-r--r--data/templates/https/nginx.default.j26
-rw-r--r--interface-definitions/https.xml.in1
-rw-r--r--interface-definitions/include/allow-client.xml.i33
-rwxr-xr-xsrc/conf_mode/https.py2
4 files changed, 42 insertions, 0 deletions
diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2
index d42b3b389..b541ff309 100644
--- a/data/templates/https/nginx.default.j2
+++ b/data/templates/https/nginx.default.j2
@@ -50,6 +50,12 @@ server {
{% else %}
return 503;
{% endif %}
+{% if server.allow_client %}
+{% for client in server.allow_client %}
+ allow {{ client }};
+{% endfor %}
+ deny all;
+{% endif %}
}
error_page 497 =301 https://$host:{{ server.port }}$request_uri;
diff --git a/interface-definitions/https.xml.in b/interface-definitions/https.xml.in
index 6adb07598..cf30ab2be 100644
--- a/interface-definitions/https.xml.in
+++ b/interface-definitions/https.xml.in
@@ -60,6 +60,7 @@
<multi/>
</properties>
</leafNode>
+ #include <include/allow-client.xml.i>
</children>
</tagNode>
<node name="api" owner="${vyos_conf_scripts_dir}/http-api.py">
diff --git a/interface-definitions/include/allow-client.xml.i b/interface-definitions/include/allow-client.xml.i
new file mode 100644
index 000000000..03a0b3ff8
--- /dev/null
+++ b/interface-definitions/include/allow-client.xml.i
@@ -0,0 +1,33 @@
+ <node name="allow-client">
+ <properties>
+ <help>Restrict to allowed IP client addresses</help>
+ </properties>
+ <children>
+ <leafNode name="address">
+ <properties>
+ <help>Allowed IP client addresses</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IPv4 address</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>IPv6 address</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>IPv4 address and prefix length</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6net</format>
+ <description>IPv6 address and prefix length</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-address"/>
+ <validator name="ip-cidr"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index ce5e63928..b0c38e8d3 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -159,6 +159,8 @@ def generate(https):
server_block['port'] = data.get('listen-port', '443')
name = data.get('server-name', ['_'])
server_block['name'] = name
+ allow_client = data.get('allow-client', {})
+ server_block['allow_client'] = allow_client.get('address', [])
server_block_list.append(server_block)
# get certificate data