New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict access to JSON-RPC API based on client IP address #1861
base: master
Are you sure you want to change the base?
Conversation
…JSON-RPC API based on client IP address
@davidebeatrici @chipitsine can you take a look at this? |
I think |
personally, I think that any reverse proxy in front of API would help. on other side, if someone wants to maintain code inside SE VPN itself ... why not |
A reverse proxy in front of the VPN server would break certificate auth (possibly more) for the HTTPS-based SoftEther protocol which is served on the same port as API. There seems to be no way to separate API from HTTPS-based VPN protocol. |
I agree. IP address-based restriction by |
While I do agree that
If someone can describe the best way to deal with these concerns, I will try to rewrite the pull request to use the |
Please commit this update, because: 🙏
So if an advanced user wants to use the JsonRpcWebApi, first he should learn about it more to configure it, because the current default behaviour is very insecure. Also the value of (I've accidentally found this unmerged ticket and had to realize: my own config is also set for allowing JsonRpc! 😨 And there is no easy way to determine if anybody already gained access to my server through it?) |
Currently one can either disable the JSON-RPC API entirely (
DisableJsonRpcWebApi
config variable) or allow it to be accessed via the VPN server's public endpoint by anyone, protected only by a password.Due to security considerations it might be undesirable to expose the JSON-RPC API on a public endpoint, even with password protection.
This PR adds a server config variable named
JsonRpcWebApiAllowedSubnet
. It can contain a subnet address in CIDR notation, such as192.168.0.0/16
. When set, only clients from this subnet can access the JSON-RPC API; for others, the server behaves as ifDisableJsonRpcWebApi
were set to true.By default,
JsonRpcWebApiAllowedSubnet
is not set, i.e. it contains a zero subnet address, which is represented in config file as::/0
.This PR partially resolves #1140.