diff --git a/api_auth_docker/Dockerfile b/api_auth_docker/Dockerfile index 09001ba..c1db73b 100644 --- a/api_auth_docker/Dockerfile +++ b/api_auth_docker/Dockerfile @@ -15,6 +15,7 @@ COPY keys.properties /etc/nginx/conf.d COPY api.properties /etc/nginx/conf.d COPY trace.sh /etc/nginx/conf.d COPY tests.sh /etc/nginx/conf.d +COPY ip-whitelist.conf /etc/nginx/conf.d RUN chmod +x /etc/nginx/conf.d/auth.sh entrypoint.sh diff --git a/api_auth_docker/README.md b/api_auth_docker/README.md index aab527d..ddb6a77 100644 --- a/api_auth_docker/README.md +++ b/api_auth_docker/README.md @@ -34,6 +34,19 @@ kapi_id="006";kapi_key="19e121b698014fac638f772c4ff5775a738856bf6cbdef0dc8897105 You can have multiple keys, but be aware that this container has **not** been built to support thousands of API keys! **Cyphernode should be used locally**, not publicly as a service. +## IP Addresses Whitelist (**do not use for now**) +**Docker Swarm obfuscates real client IP, this feature is not ready for now** + +You can have an IP whitelist policy, denying everything except the explicit IP addresses you need. Edit ip-whitelist.conf file: + +```conf +# Leave commented if you don't want to use IP whitelist + +# List of white listed IP addresses... +#allow 45.56.67.78; +#deny all; +``` + ## SSL If you already have your certificates and keystores infra, you already know what to do and your can skip this section. Put your files in the bound volume (~/cyphernode-ssl/ see volume path in docker-compose.yml). diff --git a/api_auth_docker/auth.sh b/api_auth_docker/auth.sh index 7634b7a..ac2bf0d 100644 --- a/api_auth_docker/auth.sh +++ b/api_auth_docker/auth.sh @@ -39,7 +39,14 @@ verify_sign() if [ ${exp} -gt ${current} ]; then trace "[verify_sign] Not expired, let's validate signature" local id=$(echo ${payload} | jq ".id" | tr -d '"') - trace "[verify_sign] id=${id}" + trace "[verify_sign] id=${id}" + + # Check for code injection + # id will usually be an int, but could be alphanum... nothing else + if ! [[ $id =~ '^[A-Za-z0-9]$']]; then + trace "[verify_sign] Potential code injection, exiting" + return 1 + fi # It is so much faster to include the keys here instead of grep'ing the file for key. . ./keys.properties @@ -78,6 +85,14 @@ verify_group() local id=${1} local action=${REQUEST_URI:1} + trace "[verify_group] action=${action}" + + # Check for code injection + # action could be alphanum... nothing else + if ! [[ $action =~ '^[A-Za-z]$']]; then + trace "[verify_group] Potential code injection, exiting" + return 1 + fi # It is so much faster to include the keys here instead of grep'ing the file for key. . ./api.properties diff --git a/api_auth_docker/default-ssl.conf b/api_auth_docker/default-ssl.conf index 07735d4..36edeeb 100644 --- a/api_auth_docker/default-ssl.conf +++ b/api_auth_docker/default-ssl.conf @@ -2,6 +2,8 @@ server { listen 443 ssl; server_name localhost; + include /etc/nginx/conf.d/ip-whitelist.conf; + ssl_certificate /etc/ssl/certs/cert.pem; ssl_certificate_key /etc/ssl/private/key.pem; diff --git a/api_auth_docker/default.conf b/api_auth_docker/default.conf index dd4b951..fca3c1b 100644 --- a/api_auth_docker/default.conf +++ b/api_auth_docker/default.conf @@ -2,6 +2,8 @@ server { listen 80; server_name localhost; + include /etc/nginx/conf.d/ip-whitelist.conf; + location / { auth_request /auth; proxy_pass http://cyphernode:8888; diff --git a/api_auth_docker/ip-whitelist.conf b/api_auth_docker/ip-whitelist.conf new file mode 100644 index 0000000..aa6e2c4 --- /dev/null +++ b/api_auth_docker/ip-whitelist.conf @@ -0,0 +1,8 @@ +# Leave commented if you don't want to use IP whitelist + +#real_ip_header X-Forwarded-For; +#set_real_ip_from 0.0.0.0/0; + +# List of white listed IP addresses... +#allow 45.56.67.78; +#deny all;