Software /
code /
prosody-modules
Changeset
5702:e274431bf4ce
mod_http_status: Add IP allowlisting capabilities
Based on mod_http_openmetrics
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Wed, 25 Oct 2023 17:18:50 +0200 (14 months ago) |
parents | 5701:0cffeff2cd1d |
children | 5703:b43c989fb69c |
files | mod_http_status/README.md mod_http_status/mod_http_status.lua |
diffstat | 2 files changed, 32 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_status/README.md Wed Oct 25 15:36:20 2023 +0200 +++ b/mod_http_status/README.md Wed Oct 25 17:18:50 2023 +0200 @@ -13,3 +13,19 @@ } ``` +# Configuration + + +By default only access via localhost is allowed. This can be adjusted with `http_status_allow_ips`. The following example shows the default: + +``` +http_status_allow_ips = { "::1"; "127.0.0.1" } +``` + +Access can also be granted to one IP range via CIDR notation: + +``` +http_status_allow_cidr = "172.17.2.0/24" +``` + +The default for `http_status_allow_cidr` is empty.
--- a/mod_http_status/mod_http_status.lua Wed Oct 25 15:36:20 2023 +0200 +++ b/mod_http_status/mod_http_status.lua Wed Oct 25 17:18:50 2023 +0200 @@ -2,13 +2,29 @@ local json = require "util.json"; local datetime = require "util.datetime".datetime; +local ip = require "util.ip"; local modulemanager = require "core.modulemanager"; +local permitted_ips = module:get_option_set("http_status_allow_ips", { "::1", "127.0.0.1" }); +local permitted_cidr = module:get_option_string("http_status_allow_cidr"); + +local function is_permitted(request) + local ip_raw = request.ip; + if permitted_ips:contains(ip_raw) or + (permitted_cidr and ip.match(ip.new_ip(ip_raw), ip.parse_cidr(permitted_cidr))) then + return true; + end + return false; +end + module:provides("http", { route = { GET = function(event) local request, response = event.request, event.response; + if not is_permitted(request) then + return 403; -- Forbidden + end response.headers.content_type = "application/json"; local resp = { ["*"] = true };