# HG changeset patch # User Kim Alvefur # Date 1699208566 -3600 # Node ID 09233b625cb997b86cf1b4918f0c3a844604312f # Parent 429be658c0bb3c3e617d519d181f9afa5c508bde mod_http_health: Copypaste IP access control code diff -r 429be658c0bb -r 09233b625cb9 mod_http_health/README.md --- a/mod_http_health/README.md Fri Nov 03 23:26:57 2023 +0100 +++ b/mod_http_health/README.md Sun Nov 05 19:22:46 2023 +0100 @@ -12,6 +12,22 @@ } ``` +## Access control + +By default only access via localhost is allowed. This can be adjusted with `http_health_allow_ips`. The following example shows the default: + +``` +http_health_allow_ips = { "::1"; "127.0.0.1" } +``` + +Access can also be granted to one IP range via CIDR notation: + +``` +http_health_allow_cidr = "172.17.2.0/24" +``` + +The default for `http_health_allow_cidr` is empty. + # Details Adds a `http://your.prosody.example:5280/health` endpoint that returns either HTTP status code 200 when all appears to be good or 500 when any module diff -r 429be658c0bb -r 09233b625cb9 mod_http_health/mod_http_health.lua --- a/mod_http_health/mod_http_health.lua Fri Nov 03 23:26:57 2023 +0100 +++ b/mod_http_health/mod_http_health.lua Sun Nov 05 19:22:46 2023 +0100 @@ -1,11 +1,29 @@ module:set_global(); +local ip = require "util.ip"; local modulemanager = require "core.modulemanager"; +local permitted_ips = module:get_option_set("http_health_allow_ips", { "::1", "127.0.0.1" }); +local permitted_cidr = module:get_option_string("http_health_allow_cidr"); + +local function is_permitted(request) + local ip_raw = request.ip; + if permitted_ips:contains(ip_raw) or + (permitted_cidr and ip.match(ip.new_ip(ip_raw), ip.parse_cidr(permitted_cidr))) then + return true; + end + return false; +end + module:provides("http", { route = { - GET = function() + GET = function(event) + local request = event.request; + if not is_permitted(request) then + return 403; -- Forbidden + end + for host in pairs(prosody.hosts) do local mods = modulemanager.get_modules(host); for _, mod in pairs(mods) do