From 3bc776fe7b531aa93238184703d6c26c6c3aa014 Mon Sep 17 00:00:00 2001 From: Aroosha Pervaiz Date: Tue, 15 Oct 2024 12:09:37 +0200 Subject: [PATCH 1/4] Changes to expose debug functionality to only specified users and add http->https redirect --- data.go | 3 +++ oauth.go | 2 ++ server.go | 22 ++++++++++++++++++++++ utils.go | 26 ++++++++++++++++++++++++++ x509.go | 2 ++ 5 files changed, 55 insertions(+) diff --git a/data.go b/data.go index f7c314d..8b27124 100644 --- a/data.go +++ b/data.go @@ -80,6 +80,9 @@ type Configuration struct { DomainNames []string `json:"domain_names"` // list of domain names to use for LetsEncrypt ZapLogger string `json:"zap_logger"` // define zap logger usage + // debug server info + + DebugAllowedIPs []string `json:"debug_allowed_ips"` // list of allowed IPs to view debug/profile info // Monit pieces MonitType string `json:"monit_type"` // monit record type diff --git a/oauth.go b/oauth.go index c6c8604..89cf0c1 100644 --- a/oauth.go +++ b/oauth.go @@ -670,6 +670,8 @@ func oauthProxyServer() { // the callback authentication handler http.HandleFunc(fmt.Sprintf("%s/callback", Config.Base), oauthCallbackHandler) + // Only expose debug endpoints (pprof, expvar) if the client IP is allowed + http.HandleFunc("/debug/", debugHandler) // the request handler http.HandleFunc("/", oauthRequestHandler) diff --git a/server.go b/server.go index cbe52f5..74898e1 100644 --- a/server.go +++ b/server.go @@ -2,6 +2,7 @@ package main import ( "crypto/tls" + "fmt" "log" "net/http" "time" @@ -26,6 +27,13 @@ var NumLogicalCores int // CMSAuth structure to create CMS Auth headers var CMSAuth cmsauth.CMSAuth +// redirectToHTTPS will redirect all HTTP requests to HTTPS +func redirectToHTTPS(w http.ResponseWriter, r *http.Request) { + httpsURL := fmt.Sprintf("https://%s%s", r.Host, r.URL.RequestURI()) + log.Printf("redirect %s to https\n", r.URL.String()) + http.Redirect(w, r, httpsURL, http.StatusMovedPermanently) +} + // Server starts APS server func Server(config string, port, metricsPort int, logFile string, useX509, scitokens, rules bool) { err := parseConfig(config) @@ -124,6 +132,20 @@ func Server(config string, port, metricsPort int, logFile string, useX509, scito Config.CollectorPassword, httpClient) + // start HTTP server for redirecting http requests to https end-point + go func() { + httpServer := &http.Server{ + Addr: ":80", // HTTP on port 80 + Handler: http.HandlerFunc(redirectToHTTPS), + } + + log.Println("HTTP to HTTPS redirect server is running on port 80...") + err := httpServer.ListenAndServe() + if err != nil { + log.Println("Error starting HTTP server:", err) + } + }() + // start our servers if useX509 { if Config.CricURL != "" || Config.CricFile != "" { diff --git a/utils.go b/utils.go index 8b4470f..cb93cf2 100644 --- a/utils.go +++ b/utils.go @@ -14,6 +14,7 @@ import ( "io" "io/ioutil" "log" + "net" "net/http" "net/url" "os" @@ -647,3 +648,28 @@ func SetReferrer(r *http.Request) { r.Header.Set("Referer", ref) r.Header.Set("Referrer", ref) } + +// Checks if the remote IP is in the allowed range +func isAllowedIP(r *http.Request) bool { + // Extract the remote IP from the request (format could be IP:port) + ip, _, err := net.SplitHostPort(r.RemoteAddr) + if err != nil { + log.Printf("Error parsing RemoteAddr: %v\n", err) + return false + } + + // check if IP is allowed to view debug info + return InList(ip, Config.DebugAllowedIPs) +} + +// Middleware to restrict pprof and expvar to allowed IPs +func debugHandler(w http.ResponseWriter, r *http.Request) { + if !isAllowedIP(r) { + http.Error(w, "403 Forbidden", http.StatusForbidden) + return + } + + // Serve the original debug endpoint if the IP is allowed + http.DefaultServeMux.ServeHTTP(w, r) +} + diff --git a/x509.go b/x509.go index 0e0118d..2d51a9d 100644 --- a/x509.go +++ b/x509.go @@ -124,6 +124,8 @@ func x509ProxyServer() { // the server settings handler http.HandleFunc(fmt.Sprintf("%s/server", Config.Base), settingsHandler) + // Only expose debug endpoints (pprof, expvar) if the client IP is allowed + http.HandleFunc("/debug/", debugHandler) // the request handler http.HandleFunc("/", x509RequestHandler) From 407a93b16f828d4f9d7f1ae2b9334520136402d4 Mon Sep 17 00:00:00 2001 From: "A. Pervaiz" <77356768+arooshap@users.noreply.github.com> Date: Tue, 15 Oct 2024 12:13:25 +0200 Subject: [PATCH 2/4] Update data.go to fix spacing --- data.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data.go b/data.go index 8b27124..4ec316e 100644 --- a/data.go +++ b/data.go @@ -80,8 +80,8 @@ type Configuration struct { DomainNames []string `json:"domain_names"` // list of domain names to use for LetsEncrypt ZapLogger string `json:"zap_logger"` // define zap logger usage - // debug server info + // debug server info DebugAllowedIPs []string `json:"debug_allowed_ips"` // list of allowed IPs to view debug/profile info // Monit pieces From 768de335fb9e5dce287219b8ee00d55e7c7d91ec Mon Sep 17 00:00:00 2001 From: "A. Pervaiz" <77356768+arooshap@users.noreply.github.com> Date: Tue, 15 Oct 2024 12:14:33 +0200 Subject: [PATCH 3/4] Update oauth.go to fix spacing --- oauth.go | 1 + 1 file changed, 1 insertion(+) diff --git a/oauth.go b/oauth.go index 89cf0c1..ac5964d 100644 --- a/oauth.go +++ b/oauth.go @@ -670,6 +670,7 @@ func oauthProxyServer() { // the callback authentication handler http.HandleFunc(fmt.Sprintf("%s/callback", Config.Base), oauthCallbackHandler) + // Only expose debug endpoints (pprof, expvar) if the client IP is allowed http.HandleFunc("/debug/", debugHandler) From be296d0a9d71d028be88458d0367f3e1048670cc Mon Sep 17 00:00:00 2001 From: "A. Pervaiz" <77356768+arooshap@users.noreply.github.com> Date: Tue, 15 Oct 2024 12:18:13 +0200 Subject: [PATCH 4/4] Update x509.go to fix spacing --- x509.go | 1 + 1 file changed, 1 insertion(+) diff --git a/x509.go b/x509.go index 2d51a9d..e11a07d 100644 --- a/x509.go +++ b/x509.go @@ -126,6 +126,7 @@ func x509ProxyServer() { // Only expose debug endpoints (pprof, expvar) if the client IP is allowed http.HandleFunc("/debug/", debugHandler) + // the request handler http.HandleFunc("/", x509RequestHandler)