diff --git a/data.go b/data.go index f7c314d..4ec316e 100644 --- a/data.go +++ b/data.go @@ -81,6 +81,9 @@ type Configuration struct { ZapLogger string `json:"zap_logger"` // define zap logger usage + // debug server info + DebugAllowedIPs []string `json:"debug_allowed_ips"` // list of allowed IPs to view debug/profile info + // Monit pieces MonitType string `json:"monit_type"` // monit record type MonitProducer string `json:"monit_producer"` // monit record producer diff --git a/oauth.go b/oauth.go index c6c8604..ac5964d 100644 --- a/oauth.go +++ b/oauth.go @@ -670,6 +670,9 @@ func oauthProxyServer() { // the callback authentication handler http.HandleFunc(fmt.Sprintf("%s/callback", Config.Base), oauthCallbackHandler) + + // Only expose debug endpoints (pprof, expvar) if the client IP is allowed + http.HandleFunc("/debug/", debugHandler) // the request handler http.HandleFunc("/", oauthRequestHandler) diff --git a/server.go b/server.go index cbe52f5..74898e1 100644 --- a/server.go +++ b/server.go @@ -2,6 +2,7 @@ package main import ( "crypto/tls" + "fmt" "log" "net/http" "time" @@ -26,6 +27,13 @@ var NumLogicalCores int // CMSAuth structure to create CMS Auth headers var CMSAuth cmsauth.CMSAuth +// redirectToHTTPS will redirect all HTTP requests to HTTPS +func redirectToHTTPS(w http.ResponseWriter, r *http.Request) { + httpsURL := fmt.Sprintf("https://%s%s", r.Host, r.URL.RequestURI()) + log.Printf("redirect %s to https\n", r.URL.String()) + http.Redirect(w, r, httpsURL, http.StatusMovedPermanently) +} + // Server starts APS server func Server(config string, port, metricsPort int, logFile string, useX509, scitokens, rules bool) { err := parseConfig(config) @@ -124,6 +132,20 @@ func Server(config string, port, metricsPort int, logFile string, useX509, scito Config.CollectorPassword, httpClient) + // start HTTP server for redirecting http requests to https end-point + go func() { + httpServer := &http.Server{ + Addr: ":80", // HTTP on port 80 + Handler: http.HandlerFunc(redirectToHTTPS), + } + + log.Println("HTTP to HTTPS redirect server is running on port 80...") + err := httpServer.ListenAndServe() + if err != nil { + log.Println("Error starting HTTP server:", err) + } + }() + // start our servers if useX509 { if Config.CricURL != "" || Config.CricFile != "" { diff --git a/utils.go b/utils.go index 8b4470f..cb93cf2 100644 --- a/utils.go +++ b/utils.go @@ -14,6 +14,7 @@ import ( "io" "io/ioutil" "log" + "net" "net/http" "net/url" "os" @@ -647,3 +648,28 @@ func SetReferrer(r *http.Request) { r.Header.Set("Referer", ref) r.Header.Set("Referrer", ref) } + +// Checks if the remote IP is in the allowed range +func isAllowedIP(r *http.Request) bool { + // Extract the remote IP from the request (format could be IP:port) + ip, _, err := net.SplitHostPort(r.RemoteAddr) + if err != nil { + log.Printf("Error parsing RemoteAddr: %v\n", err) + return false + } + + // check if IP is allowed to view debug info + return InList(ip, Config.DebugAllowedIPs) +} + +// Middleware to restrict pprof and expvar to allowed IPs +func debugHandler(w http.ResponseWriter, r *http.Request) { + if !isAllowedIP(r) { + http.Error(w, "403 Forbidden", http.StatusForbidden) + return + } + + // Serve the original debug endpoint if the IP is allowed + http.DefaultServeMux.ServeHTTP(w, r) +} + diff --git a/x509.go b/x509.go index 0e0118d..e11a07d 100644 --- a/x509.go +++ b/x509.go @@ -124,6 +124,9 @@ func x509ProxyServer() { // the server settings handler http.HandleFunc(fmt.Sprintf("%s/server", Config.Base), settingsHandler) + // Only expose debug endpoints (pprof, expvar) if the client IP is allowed + http.HandleFunc("/debug/", debugHandler) + // the request handler http.HandleFunc("/", x509RequestHandler)