2
0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-22 09:32:21 +00:00

Restrict forward source ip to requestor

This prevents sockets from opening up to the world that could be used
to connect to management interfaces directly, apart from the specific
requestors.
This commit is contained in:
Jarrod Johnson 2017-10-22 12:35:12 -04:00
parent 3372a8401a
commit 34fb159801
2 changed files with 15 additions and 4 deletions

View File

@ -22,6 +22,7 @@ import eventlet.green.select as select
import eventlet.green.socket as socket
forwarders = {}
sockhandler = {}
allowedclients = set([])
vidtarget = None
vidforwarder = None
@ -40,7 +41,10 @@ def handle_connection(incoming, outgoing):
def forward_port(sock, target):
while True:
conn, _ = sock.accept()
conn, cli = sock.accept()
if cli[0] not in allowedclients:
conn.close()
continue
try:
client = socket.create_connection((target, 443))
except Exception:
@ -52,7 +56,10 @@ def forward_port(sock, target):
def forward_video():
sock = eventlet.listen(('::', 3900, 0, 0), family=socket.AF_INET6)
while True:
conn, _ = sock.accept()
conn, cli = sock.accept()
if cli[0] not in allowedclients:
conn.close()
continue
if vidtarget is None:
conn.close()
continue
@ -63,9 +70,13 @@ def forward_video():
continue
eventlet.spawn_n(handle_connection, conn, vidclient)
def get_port(addr):
def get_port(addr, clientip):
global vidtarget
global vidforwarder
if socket.getaddrinfo(clientip, 0)[0][0] == socket.AF_INET:
allowedclients.add('::ffff:' + clientip)
else:
allowedclients.add(clientip)
if addr not in forwarders:
newsock = eventlet.listen(('::', 0, 0, 0),
family=socket.AF_INET6)

View File

@ -464,7 +464,7 @@ def resourcehandler_backend(env, start_response):
start_response('404 Not Found', headers)
yield 'No hardwaremanagemnet.manager defined for node'
return
funport = forwarder.get_port(targip)
funport = forwarder.get_port(targip, env['HTTP_X_FORWARDED_FOR'])
host = env['HTTP_X_FORWARDED_HOST']
url = 'https://{0}:{1}/'.format(host, funport)
start_response('302', [('Location', url)])