optional ipfilter for array of allowed_ips in config or environment

2023-10-24 22:41:40 +01:00 · 2023-10-24 22:41:40 +01:00 · 77c15cda13
commit 77c15cda13
parent 64e86994f7
4 changed files with 14 additions and 2 deletions
--- a/app/config.json.sample
+++ b/app/config.json.sample
@ -8,6 +8,9 @@
    "path": "/ssh/socket.io",
    "origins": ["localhost:2222"],
  },
+  "ipfilter": {
+    allowed_ips: []
+  },
  "user": {
    "name": null,
    "password": null,
--- a/app/package.json
+++ b/app/package.json
@ -36,6 +36,7 @@
    "cidr-matcher": "^2.1.1",
    "debug": "^4.3.4",
    "express": "^4.18.1",
+    "express-ipfilter": "^1.3.1",
    "express-session": "^1.17.3",
    "morgan": "~1.10.0",
    "read-config-ng": "^3.0.5",
--- a/app/server/app.js
+++ b/app/server/app.js
@ -17,11 +17,12 @@ const server = require('http').Server(app);
 const favicon = require('serve-favicon');
 const io = require('socket.io')(server, config.socketio);
 const session = require('express-session')(config.express);
+const ipfilter = require('express-ipfilter').IpFilter

 const appSocket = require('./socket');
 const { setDefaultCredentials, basicAuth } = require('./util');
 const { webssh2debug } = require('./logging');
-const { reauth, connect, notfound, handleErrors } = require('./routes');
+const { reauth, connect, notfound, handleForbidden, handleErrors } = require('./routes');

 setDefaultCredentials(config.user);

@ -38,6 +39,7 @@ function safeShutdownGuard(req, res, next) {
 // express
 app.use(safeShutdownGuard);
 app.use(session);
+if (config.ipfilter.allowed_ips.length > 0) app.use(ipfilter(config.ipfilter.allowed_ips, { mode: 'allow' }))
 if (config.accesslog) app.use(logger('common'));
 app.disable('x-powered-by');
 app.use(favicon(path.join(publicPath, 'favicon.ico')));
--- a/app/server/config.js
+++ b/app/server/config.js
@ -38,7 +38,10 @@ const configDefault = {
      setHeaders(res) {
        res.set('x-timestamp', Date.now());
      },
-    },
+    }
+  },
+  ipfilter: {
+    allowed_ips: [],
  },
  user: {
    name: null,
@ -133,4 +136,7 @@ if (process.env.SOCKETIO_PATH) config.socketio.path = process.env.SOCKETIO_PATH;
 if (process.env.SOCKETIO_SERVECLIENT)
  config.socketio.serveClient = process.env.SOCKETIO_SERVECLIENT;

+if (process.env.ALLOWED_IP_ADDRESSES)
+  config.ipfilter.allowed_ips.push(process.env.ALLOWED_IP_ADDRESSES.split(" "))
+
 module.exports = config;