diff options
| author | John Estabrook <jestabro@vyos.io> | 2020-03-30 09:28:44 -0500 |
|---|---|---|
| committer | John Estabrook <jestabro@vyos.io> | 2020-03-30 14:07:57 -0500 |
| commit | 69dda9497229b56bf68e7e66135688561598b892 (patch) | |
| tree | 80d61fe3c95cd37567c8c19d4a1cdef5719c9d0e | |
| parent | 84c2b27ed3148ff17ffeb2f4e034ffef6ddc0b0b (diff) | |
| download | vyos-1x-69dda9497229b56bf68e7e66135688561598b892.tar.gz vyos-1x-69dda9497229b56bf68e7e66135688561598b892.zip | |
http api: T2160: allow restricting HTTP API to specific servers
By default, the HTTP API will be proxied by any nginx virtual server.
Allow specifying a subset of servers to act as proxy.
| -rw-r--r-- | interface-definitions/https.xml.in | 6 | ||||
| -rwxr-xr-x | src/conf_mode/https.py | 18 |
2 files changed, 22 insertions, 2 deletions
diff --git a/interface-definitions/https.xml.in b/interface-definitions/https.xml.in index 1d986b2b4..49bd25b82 100644 --- a/interface-definitions/https.xml.in +++ b/interface-definitions/https.xml.in @@ -111,6 +111,12 @@ <hidden/> </properties> </leafNode> + <leafNode name="virtual-host"> + <properties> + <help>Restrict proxy to virtual host(s)</help> + <multi/> + </properties> + </leafNode> </children> </node> <node name="certificates"> diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py index a0fe9cf2f..889b62cf4 100755 --- a/src/conf_mode/https.py +++ b/src/conf_mode/https.py @@ -96,6 +96,7 @@ server { """ default_server_block = { + 'id' : '', 'address' : '*', 'port' : '443', 'name' : ['_'], @@ -117,6 +118,7 @@ def get_config(): else: for vhost in conf.list_nodes('virtual-host'): server_block = deepcopy(default_server_block) + server_block['id'] = vhost if conf.exists(f'virtual-host {vhost} listen-address'): addr = conf.return_value(f'virtual-host {vhost} listen-address') server_block['address'] = addr @@ -156,9 +158,21 @@ def get_config(): if conf.exists('api port'): port = conf.return_value('api port') api_data['port'] = port + if conf.exists('api virtual-host'): + vhosts = conf.return_values('api virtual-host') + api_data['vhost'] = vhosts[:] + if api_data: - for block in server_block_list: - block['api'] = api_data + # we do not want to include 'vhost' key as part of + # vyos.defaults.api_data, so check for key existence + vhost_list = api_data.get('vhost') + if vhost_list is None: + for block in server_block_list: + block['api'] = api_data + else: + for block in server_block_list: + if block['id'] in vhost_list: + block['api'] = api_data https = {'server_block_list' : server_block_list, 'certbot': certbot} return https |