app/vmauth: add ability to protect /-/reload endpoint with authKey

This commit is contained in:
Aliaksandr Valialkin 2021-05-20 18:46:12 +03:00
parent b5f22f58cd
commit 6139f6ed6d
3 changed files with 14 additions and 0 deletions

View file

@ -109,6 +109,8 @@ Do not transfer Basic Auth headers in plaintext over untrusted networks. Enable
Alternatively, [https termination proxy](https://en.wikipedia.org/wiki/TLS_termination_proxy) may be put in front of `vmauth`. Alternatively, [https termination proxy](https://en.wikipedia.org/wiki/TLS_termination_proxy) may be put in front of `vmauth`.
It is recommended protecting `/-/reload` endpoint with `-reloadAuthKey` command-line flag, so external users couldn't trigger config reload.
## Monitoring ## Monitoring
@ -232,6 +234,8 @@ See the docs at https://docs.victoriametrics.com/vmauth.html .
Auth key for /metrics. It overrides httpAuth settings Auth key for /metrics. It overrides httpAuth settings
-pprofAuthKey string -pprofAuthKey string
Auth key for /debug/pprof. It overrides httpAuth settings Auth key for /debug/pprof. It overrides httpAuth settings
-reloadAuthKey string
Auth key for /-/reload http endpoint. It must be passed as authKey=...
-tls -tls
Whether to enable TLS (aka HTTPS) for incoming requests. -tlsCertFile and -tlsKeyFile must be set if -tls is set Whether to enable TLS (aka HTTPS) for incoming requests. -tlsCertFile and -tlsKeyFile must be set if -tls is set
-tlsCertFile string -tlsCertFile string

View file

@ -20,6 +20,7 @@ import (
var ( var (
httpListenAddr = flag.String("httpListenAddr", ":8427", "TCP address to listen for http connections") httpListenAddr = flag.String("httpListenAddr", ":8427", "TCP address to listen for http connections")
maxIdleConnsPerBackend = flag.Int("maxIdleConnsPerBackend", 100, "The maximum number of idle connections vmauth can open per each backend host") maxIdleConnsPerBackend = flag.Int("maxIdleConnsPerBackend", 100, "The maximum number of idle connections vmauth can open per each backend host")
reloadAuthKey = flag.String("reloadAuthKey", "", "Auth key for /-/reload http endpoint. It must be passed as authKey=...")
) )
func main() { func main() {
@ -51,6 +52,11 @@ func main() {
func requestHandler(w http.ResponseWriter, r *http.Request) bool { func requestHandler(w http.ResponseWriter, r *http.Request) bool {
switch r.URL.Path { switch r.URL.Path {
case "/-/reload": case "/-/reload":
authKey := r.FormValue("authKey")
if authKey != *reloadAuthKey {
httpserver.Errorf(w, r, "invalid authKey %q. It must match the value from -reloadAuthKey command line flag", authKey)
return true
}
configReloadRequests.Inc() configReloadRequests.Inc()
procutil.SelfSIGHUP() procutil.SelfSIGHUP()
w.WriteHeader(http.StatusOK) w.WriteHeader(http.StatusOK)

View file

@ -113,6 +113,8 @@ Do not transfer Basic Auth headers in plaintext over untrusted networks. Enable
Alternatively, [https termination proxy](https://en.wikipedia.org/wiki/TLS_termination_proxy) may be put in front of `vmauth`. Alternatively, [https termination proxy](https://en.wikipedia.org/wiki/TLS_termination_proxy) may be put in front of `vmauth`.
It is recommended protecting `/-/reload` endpoint with `-reloadAuthKey` command-line flag, so external users couldn't trigger config reload.
## Monitoring ## Monitoring
@ -236,6 +238,8 @@ See the docs at https://docs.victoriametrics.com/vmauth.html .
Auth key for /metrics. It overrides httpAuth settings Auth key for /metrics. It overrides httpAuth settings
-pprofAuthKey string -pprofAuthKey string
Auth key for /debug/pprof. It overrides httpAuth settings Auth key for /debug/pprof. It overrides httpAuth settings
-reloadAuthKey string
Auth key for /-/reload http endpoint. It must be passed as authKey=...
-tls -tls
Whether to enable TLS (aka HTTPS) for incoming requests. -tlsCertFile and -tlsKeyFile must be set if -tls is set Whether to enable TLS (aka HTTPS) for incoming requests. -tlsCertFile and -tlsKeyFile must be set if -tls is set
-tlsCertFile string -tlsCertFile string