Mercurial > prosody-modules
changeset 5689:09233b625cb9
mod_http_health: Copypaste IP access control code
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 05 Nov 2023 19:22:46 +0100 |
parents | 429be658c0bb |
children | ea6c18ec0669 |
files | mod_http_health/README.md mod_http_health/mod_http_health.lua |
diffstat | 2 files changed, 35 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_health/README.md Fri Nov 03 23:26:57 2023 +0100 +++ b/mod_http_health/README.md Sun Nov 05 19:22:46 2023 +0100 @@ -12,6 +12,22 @@ } ``` +## Access control + +By default only access via localhost is allowed. This can be adjusted with `http_health_allow_ips`. The following example shows the default: + +``` +http_health_allow_ips = { "::1"; "127.0.0.1" } +``` + +Access can also be granted to one IP range via CIDR notation: + +``` +http_health_allow_cidr = "172.17.2.0/24" +``` + +The default for `http_health_allow_cidr` is empty. + # Details Adds a `http://your.prosody.example:5280/health` endpoint that returns either HTTP status code 200 when all appears to be good or 500 when any module
--- a/mod_http_health/mod_http_health.lua Fri Nov 03 23:26:57 2023 +0100 +++ b/mod_http_health/mod_http_health.lua Sun Nov 05 19:22:46 2023 +0100 @@ -1,11 +1,29 @@ module:set_global(); +local ip = require "util.ip"; local modulemanager = require "core.modulemanager"; +local permitted_ips = module:get_option_set("http_health_allow_ips", { "::1", "127.0.0.1" }); +local permitted_cidr = module:get_option_string("http_health_allow_cidr"); + +local function is_permitted(request) + local ip_raw = request.ip; + if permitted_ips:contains(ip_raw) or + (permitted_cidr and ip.match(ip.new_ip(ip_raw), ip.parse_cidr(permitted_cidr))) then + return true; + end + return false; +end + module:provides("http", { route = { - GET = function() + GET = function(event) + local request = event.request; + if not is_permitted(request) then + return 403; -- Forbidden + end + for host in pairs(prosody.hosts) do local mods = modulemanager.get_modules(host); for _, mod in pairs(mods) do