{ "setUDPMultipleMessagesVectorSize", true, "n", "set the size of the vector passed to recvmmsg() to receive UDP messages. Default to 1 which means that the feature is disabled and recvmsg() is used instead" },
{ "setUDPTimeout", true, "n", "set the maximum time dnsdist will wait for a response from a backend over UDP, in seconds" },
{ "setVerboseHealthChecks", true, "bool", "set whether health check errors will be logged" },
+ { "setWebserverConfig", true, "password [, apiKey [, customHeaders ]]", "Updates webserver configuration" },
{ "show", true, "string", "outputs `string`" },
{ "showACL", true, "", "show our ACL set" },
{ "showBinds", true, "", "show listening addresses (frontends)" },
SBind(sock, local);
SListen(sock, 5);
auto launch=[sock, local, password, apiKey, customHeaders]() {
- thread t(dnsdistWebserverThread, sock, local, password, apiKey ? *apiKey : "", customHeaders);
+ setWebserverConfig(password, apiKey, customHeaders);
+ thread t(dnsdistWebserverThread, sock, local);
t.detach();
};
if(g_launchWork)
});
+ g_lua.writeFunction("setWebserverConfig", [](const std::string& password, const boost::optional<std::string> apiKey, const boost::optional<std::map<std::string, std::string> > customHeaders) {
+ setLuaSideEffect();
+ setWebserverConfig(password, apiKey, customHeaders);
+ });
+
g_lua.writeFunction("controlSocket", [client](const std::string& str) {
setLuaSideEffect();
ComboAddress local(str, 5199);
#include <boost/format.hpp>
bool g_apiReadWrite{false};
+WebserverConfig g_webserverConfig;
std::string g_apiConfigDirectory;
static bool apiWriteConfigFile(const string& filebasename, const string& content)
return req.url.path == "/jsonstat" || req.url.path == "/metrics";
}
-static bool compareAuthorization(const YaHTTP::Request& req, const string &expected_password, const string& expectedApiKey)
+static bool compareAuthorization(const YaHTTP::Request& req)
{
+ std::lock_guard<std::mutex> lock(g_webserverConfig.lock);
+
if (isAnAPIRequest(req)) {
/* Access to the API requires a valid API key */
- if (checkAPIKey(req, expectedApiKey)) {
+ if (checkAPIKey(req, g_webserverConfig.apiKey)) {
return true;
}
- return isAnAPIRequestAllowedWithWebAuth(req) && checkWebPassword(req, expected_password);
+ return isAnAPIRequestAllowedWithWebAuth(req) && checkWebPassword(req, g_webserverConfig.password);
}
if (isAStatsRequest(req)) {
/* Access to the stats is allowed for both API and Web users */
- return checkAPIKey(req, expectedApiKey) || checkWebPassword(req, expected_password);
+ return checkAPIKey(req, g_webserverConfig.apiKey) || checkWebPassword(req, g_webserverConfig.password);
}
- return checkWebPassword(req, expected_password);
+ return checkWebPassword(req, g_webserverConfig.password);
}
static bool isMethodAllowed(const YaHTTP::Request& req)
return responseRules;
}
-static void connectionThread(int sock, ComboAddress remote, string password, string apiKey, const boost::optional<std::map<std::string, std::string> >& customHeaders)
+static void connectionThread(int sock, ComboAddress remote)
{
setThreadName("dnsdist/webConn");
resp.version = req.version;
const string charset = "; charset=utf-8";
- addCustomHeaders(resp, customHeaders);
- addSecurityHeaders(resp, customHeaders);
+ {
+ std::lock_guard<std::mutex> lock(g_webserverConfig.lock);
+
+ addCustomHeaders(resp, g_webserverConfig.customHeaders);
+ addSecurityHeaders(resp, g_webserverConfig.customHeaders);
+ }
/* indicate that the connection will be closed after completion of the response */
resp.headers["Connection"] = "close";
handleCORS(req, resp);
resp.status=200;
}
- else if (!compareAuthorization(req, password, apiKey)) {
+ else if (!compareAuthorization(req)) {
YaHTTP::strstr_map_t::iterator header = req.headers.find("authorization");
if (header != req.headers.end())
errlog("HTTP Request \"%s\" from %s: Web Authentication failed", req.url.path, remote.toStringWithPort());
// Prometheus suggest using '_' instead of '-'
std::string prometheusMetricName = "dnsdist_" + boost::replace_all_copy(metricName, "-", "_");
- MetricDefinition metricDetails;
+ MetricDefinition metricDetails;
if (!g_metricDefinitions.getMetricDetails(metricName, metricDetails)) {
vinfolog("Do not have metric details for %s", metricName);
output << **dval;
else
output << (*boost::get<DNSDistStats::statfunction_t>(&std::get<1>(e)))(std::get<0>(e));
-
+
output << "\n";
}
output << "# TYPE " << statesbase << "order " << "gauge" << "\n";
output << "# HELP " << statesbase << "weight " << "The weight within the order in which this server is picked" << "\n";
output << "# TYPE " << statesbase << "weight " << "gauge" << "\n";
-
+
for (const auto& state : *states) {
string serverName;
-
+
if (state->name.empty())
serverName = state->remote.toStringWithPort();
else
auto localPools = g_pools.getLocal();
const string cachebase = "dnsdist_pool_";
-
+
for (const auto& entry : *localPools) {
string poolName = entry.first;
-
+
if (poolName.empty()) {
poolName = "_default_";
}
int num=0;
for(const auto& a : *localServers) {
string status;
- if(a->availability == DownstreamState::Availability::Up)
+ if(a->availability == DownstreamState::Availability::Up)
status = "UP";
- else if(a->availability == DownstreamState::Availability::Down)
+ else if(a->availability == DownstreamState::Availability::Down)
status = "DOWN";
- else
+ else
status = (a->upStatus ? "up" : "down");
Json::array pools;
for(const auto& p: a->pools)
pools.push_back(p);
- Json::object server{
+ Json::object server{
{"id", num++},
{"name", a->name},
{"address", a->remote.toStringWithPort()},
};
rules.push_back(rule);
}
-
+
auto responseRules = someResponseRulesToJson(&g_resprulactions);
auto cacheHitResponseRules = someResponseRulesToJson(&g_cachehitresprulactions);
auto selfAnsweredResponseRules = someResponseRulesToJson(&g_selfansweredresprulactions);
if(!localaddresses.empty()) localaddresses += ", ";
localaddresses += std::get<0>(loc).toStringWithPort();
}
-
+
Json my_json = Json::object {
{ "daemon_type", "dnsdist" },
{ "version", VERSION},
close(sock);
}
}
-void dnsdistWebserverThread(int sock, const ComboAddress& local, const std::string& password, const std::string& apiKey, const boost::optional<std::map<std::string, std::string> >& customHeaders)
+void setWebserverConfig(const std::string& password, const boost::optional<std::string> apiKey, const boost::optional<std::map<std::string, std::string> > customHeaders)
+{
+ std::lock_guard<std::mutex> lock(g_webserverConfig.lock);
+
+ g_webserverConfig.password = password;
+ if (apiKey) {
+ g_webserverConfig.apiKey = *apiKey;
+ } else {
+ g_webserverConfig.apiKey.clear();
+ }
+ g_webserverConfig.customHeaders = customHeaders;
+}
+
+void dnsdistWebserverThread(int sock, const ComboAddress& local)
{
setThreadName("dnsdist/webserv");
warnlog("Webserver launched on %s", local.toStringWithPort());
ComboAddress remote(local);
int fd = SAccept(sock, remote);
vinfolog("Got connection from %s", remote.toStringWithPort());
- std::thread t(connectionThread, fd, remote, password, apiKey, customHeaders);
+ std::thread t(connectionThread, fd, remote);
t.detach();
}
catch(std::exception& e) {
std::shared_ptr<DownstreamState> chashed(const NumberedServerVector& servers, const DNSQuestion* dq);
std::shared_ptr<DownstreamState> roundrobin(const NumberedServerVector& servers, const DNSQuestion* dq);
-void dnsdistWebserverThread(int sock, const ComboAddress& local, const string& password, const string& apiKey, const boost::optional<std::map<std::string, std::string> >&);
+struct WebserverConfig
+{
+ std::string password;
+ std::string apiKey;
+ boost::optional<std::map<std::string, std::string> > customHeaders;
+ std::mutex lock;
+};
+
+void setWebserverConfig(const std::string& password, const boost::optional<std::string> apiKey, const boost::optional<std::map<std::string, std::string> > customHeaders);
+void dnsdistWebserverThread(int sock, const ComboAddress& local);
bool getMsgLen32(int fd, uint32_t* len);
bool putMsgLen32(int fd, uint32_t len);
void* tcpAcceptorThread(void* p);
webserver("127.0.0.1:8080", "supersecret", "apikey", {["X-Frame-Options"]= "", ["X-Custom"]="custom"}
+Credentials can be changed over time using the :func:`setWebserverConfig` function.
+
dnsdist API
-----------
:param int size: The new maximum size.
-Webserver
-~~~~~~~~~
+Webserver configuration
+~~~~~~~~~~~~~~~~~~~~~~~
-.. function:: webServer(listen_address, password[, apikey[, custom_headers]])
+.. function:: webserver(listen_address, password[, apikey[, custom_headers]])
Launch the :doc:`../guides/webserver` with statistics and the API.
:param bool allow: Set to true to allow modification through the API
:param str dir: A valid directory where the configuration files will be written by the API.
+.. function:: setWebserverConfig(password[, apikey[, custom_headers]])
+
+ .. versionadded:: 1.3.3
+
+ Setup webserver configuration. See :func:`webserver`.
+
+ :param str password: The password required to access the webserver
+ :param str apikey: The key required to access the API
+ :param {[str]=str,...} custom_headers: Allows setting custom headers and removing the defaults
+
Access Control Lists
~~~~~~~~~~~~~~~~~~~~
#!/usr/bin/env python
import os.path
+import base64
import json
import requests
from dnsdisttests import DNSDistTest
+
class TestAPIBasics(DNSDistTest):
_webTimeout = 2.0
"""
for path in self._basicOnlyPaths + self._statsPaths:
url = 'http://127.0.0.1:' + str(self._webServerPort) + path
+ r = requests.get(url, auth=('whatever', "evilsecret"), timeout=self._webTimeout)
+ self.assertEquals(r.status_code, 401)
r = requests.get(url, auth=('whatever', self._webServerBasicAuthPassword), timeout=self._webTimeout)
self.assertTrue(r)
self.assertEquals(r.status_code, 200)
self.assertTrue(r)
self.assertEquals(r.status_code, 200)
+ def testWrongXAPIKey(self):
+ """
+ API: Wrong X-Api-Key
+ """
+ headers = {'x-api-key': "evilapikey"}
+ for path in self._apiOnlyPaths + self._statsPaths:
+ url = 'http://127.0.0.1:' + str(self._webServerPort) + path
+ r = requests.get(url, headers=headers, timeout=self._webTimeout)
+ self.assertEquals(r.status_code, 401)
def testBasicAuthOnly(self):
"""
API: Basic Authentication Only
self.assertEquals(fileContent, """-- Generated by the REST API, DO NOT EDIT
setACL({"192.0.2.0/24", "198.51.100.0/24", "203.0.113.0/24"})
""")
+
+class TestAPIAuth(DNSDistTest):
+
+ _webTimeout = 2.0
+ _webServerPort = 8083
+ _webServerBasicAuthPassword = 'secret'
+ _webServerBasicAuthPasswordNew = 'password'
+ _webServerAPIKey = 'apisecret'
+ _webServerAPIKeyNew = 'apipassword'
+ # paths accessible using the API key only
+ _apiOnlyPath = '/api/v1/servers/localhost/config'
+ # paths accessible using basic auth only (list not exhaustive)
+ _basicOnlyPath = '/'
+ _consoleKey = DNSDistTest.generateConsoleKey()
+ _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
+ _config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
+ _config_template = """
+ setKey("%s")
+ controlSocket("127.0.0.1:%s")
+ setACL({"127.0.0.1/32", "::1/128"})
+ newServer{address="127.0.0.1:%s"}
+ webserver("127.0.0.1:%s", "%s", "%s")
+ """
+
+ def testBasicAuthChange(self):
+ """
+ API: Basic Authentication updating credentials
+ """
+
+ self.sendConsoleCommand('setWebserverConfig("{}")'.format(self._webServerBasicAuthPasswordNew))
+
+ url = 'http://127.0.0.1:' + str(self._webServerPort) + self._basicOnlyPath
+ r = requests.get(url, auth=('whatever', self._webServerBasicAuthPasswordNew), timeout=self._webTimeout)
+ self.assertTrue(r)
+ self.assertEquals(r.status_code, 200)
+
+ # Make sure the old password is not usable any more
+ url = 'http://127.0.0.1:' + str(self._webServerPort) + self._basicOnlyPath
+ r = requests.get(url, auth=('whatever', self._webServerBasicAuthPassword), timeout=self._webTimeout)
+ self.assertEquals(r.status_code, 401)
+
+ def testXAPIKeyChange(self):
+ """
+ API: X-Api-Key updating credentials
+ """
+
+ self.sendConsoleCommand('setWebserverConfig("{}", "{}")'.format(self._webServerBasicAuthPasswordNew, self._webServerAPIKeyNew))
+
+ headers = {'x-api-key': self._webServerAPIKeyNew}
+ url = 'http://127.0.0.1:' + str(self._webServerPort) + self._apiOnlyPath
+ r = requests.get(url, headers=headers, timeout=self._webTimeout)
+ self.assertTrue(r)
+ self.assertEquals(r.status_code, 200)
+
+ # Make sure the old password is not usable any more
+ headers = {'x-api-key': self._webServerAPIKey}
+ url = 'http://127.0.0.1:' + str(self._webServerPort) + self._apiOnlyPath
+ r = requests.get(url, headers=headers, timeout=self._webTimeout)
+ self.assertEquals(r.status_code, 401)
+
+ def testBasicAuthOnlyChange(self):
+ """
+ API: X-Api-Key updated to none (disabled)
+ """
+
+ self.sendConsoleCommand('setWebserverConfig("{}", "{}")'.format(self._webServerBasicAuthPasswordNew, self._webServerAPIKeyNew))
+
+ headers = {'x-api-key': self._webServerAPIKeyNew}
+ url = 'http://127.0.0.1:' + str(self._webServerPort) + self._apiOnlyPath
+ r = requests.get(url, headers=headers, timeout=self._webTimeout)
+ self.assertTrue(r)
+ self.assertEquals(r.status_code, 200)
+
+ # now disable apiKey
+ self.sendConsoleCommand('setWebserverConfig("{}")'.format(self._webServerBasicAuthPasswordNew))
+
+ headers = {'x-api-key': self._webServerAPIKeyNew}
+ url = 'http://127.0.0.1:' + str(self._webServerPort) + self._apiOnlyPath
+ r = requests.get(url, headers=headers, timeout=self._webTimeout)
+ self.assertEquals(r.status_code, 401)
projects / pdns / commitdiff