From 6139f6ed6dc1ba0f87e8cc9f695edd68e2f05e09 Mon Sep 17 00:00:00 2001 From: Aliaksandr Valialkin Date: Thu, 20 May 2021 18:46:12 +0300 Subject: [PATCH] app/vmauth: add ability to protect `/-/reload` endpoint with authKey --- app/vmauth/README.md | 4 ++++ app/vmauth/main.go | 6 ++++++ docs/vmauth.md | 4 ++++ 3 files changed, 14 insertions(+) diff --git a/app/vmauth/README.md b/app/vmauth/README.md index 6340d2275..335c2804e 100644 --- a/app/vmauth/README.md +++ b/app/vmauth/README.md @@ -109,6 +109,8 @@ Do not transfer Basic Auth headers in plaintext over untrusted networks. Enable Alternatively, [https termination proxy](https://en.wikipedia.org/wiki/TLS_termination_proxy) may be put in front of `vmauth`. +It is recommended protecting `/-/reload` endpoint with `-reloadAuthKey` command-line flag, so external users couldn't trigger config reload. + ## Monitoring @@ -232,6 +234,8 @@ See the docs at https://docs.victoriametrics.com/vmauth.html . Auth key for /metrics. It overrides httpAuth settings -pprofAuthKey string Auth key for /debug/pprof. It overrides httpAuth settings + -reloadAuthKey string + Auth key for /-/reload http endpoint. It must be passed as authKey=... -tls Whether to enable TLS (aka HTTPS) for incoming requests. -tlsCertFile and -tlsKeyFile must be set if -tls is set -tlsCertFile string diff --git a/app/vmauth/main.go b/app/vmauth/main.go index 2d3b5e15f..2825a93dc 100644 --- a/app/vmauth/main.go +++ b/app/vmauth/main.go @@ -20,6 +20,7 @@ import ( var ( httpListenAddr = flag.String("httpListenAddr", ":8427", "TCP address to listen for http connections") maxIdleConnsPerBackend = flag.Int("maxIdleConnsPerBackend", 100, "The maximum number of idle connections vmauth can open per each backend host") + reloadAuthKey = flag.String("reloadAuthKey", "", "Auth key for /-/reload http endpoint. It must be passed as authKey=...") ) func main() { @@ -51,6 +52,11 @@ func main() { func requestHandler(w http.ResponseWriter, r *http.Request) bool { switch r.URL.Path { case "/-/reload": + authKey := r.FormValue("authKey") + if authKey != *reloadAuthKey { + httpserver.Errorf(w, r, "invalid authKey %q. It must match the value from -reloadAuthKey command line flag", authKey) + return true + } configReloadRequests.Inc() procutil.SelfSIGHUP() w.WriteHeader(http.StatusOK) diff --git a/docs/vmauth.md b/docs/vmauth.md index 2245da966..48c597c62 100644 --- a/docs/vmauth.md +++ b/docs/vmauth.md @@ -113,6 +113,8 @@ Do not transfer Basic Auth headers in plaintext over untrusted networks. Enable Alternatively, [https termination proxy](https://en.wikipedia.org/wiki/TLS_termination_proxy) may be put in front of `vmauth`. +It is recommended protecting `/-/reload` endpoint with `-reloadAuthKey` command-line flag, so external users couldn't trigger config reload. + ## Monitoring @@ -236,6 +238,8 @@ See the docs at https://docs.victoriametrics.com/vmauth.html . Auth key for /metrics. It overrides httpAuth settings -pprofAuthKey string Auth key for /debug/pprof. It overrides httpAuth settings + -reloadAuthKey string + Auth key for /-/reload http endpoint. It must be passed as authKey=... -tls Whether to enable TLS (aka HTTPS) for incoming requests. -tlsCertFile and -tlsKeyFile must be set if -tls is set -tlsCertFile string