mirror of
https://github.com/strukturag/nextcloud-spreed-signaling.git
synced 2025-04-10 22:10:10 +00:00
Support reloading allowed stats IPs.
This commit is contained in:
Joachim Bauch
parent
be66d9425b
commit
2a1fd2e018
3 changed files with 44 additions and 10 deletions
|
|
@ -68,7 +68,7 @@ type BackendServer struct {
|
||||||
turnvalid time.Duration
|
turnvalid time.Duration
|
||||||
turnservers []string
|
turnservers []string
|
||||||
|
|
||||||
statsAllowedIps *AllowedIps
|
statsAllowedIps atomic.Pointer[AllowedIps]
|
||||||
invalidSecret []byte
|
invalidSecret []byte
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -120,7 +120,7 @@ func NewBackendServer(config *goconf.ConfigFile, hub *Hub, version string) (*Bac
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
return &BackendServer{
|
result := &BackendServer{
|
||||||
hub: hub,
|
hub: hub,
|
||||||
events: hub.events,
|
events: hub.events,
|
||||||
roomSessions: hub.roomSessions,
|
roomSessions: hub.roomSessions,
|
||||||
|
|
@ -131,9 +131,27 @@ func NewBackendServer(config *goconf.ConfigFile, hub *Hub, version string) (*Bac
|
||||||
turnvalid: turnvalid,
|
turnvalid: turnvalid,
|
||||||
turnservers: turnserverslist,
|
turnservers: turnserverslist,
|
||||||
|
|
||||||
statsAllowedIps: statsAllowedIps,
|
invalidSecret: invalidSecret,
|
||||||
invalidSecret: invalidSecret,
|
}
|
||||||
}, nil
|
|
||||||
|
result.statsAllowedIps.Store(statsAllowedIps)
|
||||||
|
|
||||||
|
return result, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (b *BackendServer) Reload(config *goconf.ConfigFile) {
|
||||||
|
statsAllowed, _ := config.GetString("stats", "allowed_ips")
|
||||||
|
if statsAllowedIps, err := ParseAllowedIps(statsAllowed); err == nil {
|
||||||
|
if !statsAllowedIps.Empty() {
|
||||||
|
log.Printf("Only allowing access to the stats endpoint from %s", statsAllowed)
|
||||||
|
} else {
|
||||||
|
log.Printf("No IPs configured for the stats endpoint, only allowing access from 127.0.0.1")
|
||||||
|
statsAllowedIps = DefaultAllowedIps()
|
||||||
|
}
|
||||||
|
b.statsAllowedIps.Store(statsAllowedIps)
|
||||||
|
} else {
|
||||||
|
log.Printf("Error parsing allowed stats ips from \"%s\": %s", statsAllowedIps, err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (b *BackendServer) Start(r *mux.Router) error {
|
func (b *BackendServer) Start(r *mux.Router) error {
|
||||||
|
|
@ -899,7 +917,8 @@ func (b *BackendServer) allowStatsAccess(r *http.Request) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
return b.statsAllowedIps.Allowed(ip)
|
allowed := b.statsAllowedIps.Load()
|
||||||
|
return allowed != nil && allowed.Allowed(ip)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (b *BackendServer) validateStatsRequest(f func(http.ResponseWriter, *http.Request)) func(http.ResponseWriter, *http.Request) {
|
func (b *BackendServer) validateStatsRequest(f func(http.ResponseWriter, *http.Request)) func(http.ResponseWriter, *http.Request) {
|
||||||
|
|
|
||||||
|
|
@ -111,7 +111,7 @@ type ProxyServer struct {
|
||||||
upgrader websocket.Upgrader
|
upgrader websocket.Upgrader
|
||||||
|
|
||||||
tokens ProxyTokens
|
tokens ProxyTokens
|
||||||
statsAllowedIps *signaling.AllowedIps
|
statsAllowedIps atomic.Pointer[signaling.AllowedIps]
|
||||||
trustedProxies atomic.Pointer[signaling.AllowedIps]
|
trustedProxies atomic.Pointer[signaling.AllowedIps]
|
||||||
|
|
||||||
sid atomic.Uint64
|
sid atomic.Uint64
|
||||||
|
|
@ -319,8 +319,7 @@ func NewProxyServer(r *mux.Router, version string, config *goconf.ConfigFile) (*
|
||||||
WriteBufferSize: websocketWriteBufferSize,
|
WriteBufferSize: websocketWriteBufferSize,
|
||||||
},
|
},
|
||||||
|
|
||||||
tokens: tokens,
|
tokens: tokens,
|
||||||
statsAllowedIps: statsAllowedIps,
|
|
||||||
|
|
||||||
cookie: securecookie.New(hashKey, blockKey).MaxAge(0),
|
cookie: securecookie.New(hashKey, blockKey).MaxAge(0),
|
||||||
sessions: make(map[uint64]*ProxySession),
|
sessions: make(map[uint64]*ProxySession),
|
||||||
|
|
@ -335,6 +334,7 @@ func NewProxyServer(r *mux.Router, version string, config *goconf.ConfigFile) (*
|
||||||
remoteConnections: make(map[string]*RemoteConnection),
|
remoteConnections: make(map[string]*RemoteConnection),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
result.statsAllowedIps.Store(statsAllowedIps)
|
||||||
result.trustedProxies.Store(trustedProxiesIps)
|
result.trustedProxies.Store(trustedProxiesIps)
|
||||||
result.upgrader.CheckOrigin = result.checkOrigin
|
result.upgrader.CheckOrigin = result.checkOrigin
|
||||||
|
|
||||||
|
|
@ -548,6 +548,19 @@ func (s *ProxyServer) ScheduleShutdown() {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *ProxyServer) Reload(config *goconf.ConfigFile) {
|
func (s *ProxyServer) Reload(config *goconf.ConfigFile) {
|
||||||
|
statsAllowed, _ := config.GetString("stats", "allowed_ips")
|
||||||
|
if statsAllowedIps, err := signaling.ParseAllowedIps(statsAllowed); err == nil {
|
||||||
|
if !statsAllowedIps.Empty() {
|
||||||
|
log.Printf("Only allowing access to the stats endpoint from %s", statsAllowed)
|
||||||
|
} else {
|
||||||
|
log.Printf("No IPs configured for the stats endpoint, only allowing access from 127.0.0.1")
|
||||||
|
statsAllowedIps = signaling.DefaultAllowedIps()
|
||||||
|
}
|
||||||
|
s.statsAllowedIps.Store(statsAllowedIps)
|
||||||
|
} else {
|
||||||
|
log.Printf("Error parsing allowed stats ips from \"%s\": %s", statsAllowedIps, err)
|
||||||
|
}
|
||||||
|
|
||||||
trustedProxies, _ := config.GetString("app", "trustedproxies")
|
trustedProxies, _ := config.GetString("app", "trustedproxies")
|
||||||
if trustedProxiesIps, err := signaling.ParseAllowedIps(trustedProxies); err == nil {
|
if trustedProxiesIps, err := signaling.ParseAllowedIps(trustedProxies); err == nil {
|
||||||
if !trustedProxiesIps.Empty() {
|
if !trustedProxiesIps.Empty() {
|
||||||
|
|
@ -1396,7 +1409,8 @@ func (s *ProxyServer) allowStatsAccess(r *http.Request) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
return s.statsAllowedIps.Allowed(ip)
|
allowed := s.statsAllowedIps.Load()
|
||||||
|
return allowed != nil && allowed.Allowed(ip)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *ProxyServer) validateStatsRequest(f func(http.ResponseWriter, *http.Request)) func(http.ResponseWriter, *http.Request) {
|
func (s *ProxyServer) validateStatsRequest(f func(http.ResponseWriter, *http.Request)) func(http.ResponseWriter, *http.Request) {
|
||||||
|
|
|
||||||
|
|
@ -417,6 +417,7 @@ loop:
|
||||||
log.Printf("Could not read configuration from %s: %s", *configFlag, err)
|
log.Printf("Could not read configuration from %s: %s", *configFlag, err)
|
||||||
} else {
|
} else {
|
||||||
hub.Reload(config)
|
hub.Reload(config)
|
||||||
|
server.Reload(config)
|
||||||
}
|
}
|
||||||
case syscall.SIGUSR1:
|
case syscall.SIGUSR1:
|
||||||
log.Printf("Received SIGUSR1, scheduling server to shutdown")
|
log.Printf("Received SIGUSR1, scheduling server to shutdown")
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue