Disallow access in publicly exposed services (#1761)

* Add security against publicly exposed services * Add trusted proxies setting, validate proxy chain against internet access * Validate chain on local proxies too * Move authentication handler to separate file * Add startup check and log if tripwire is active Co-authored-by: WithoutPants <53250216+WithoutPants@users.noreply.github.com>
2025-12-17 20:34:37 +03:00 · 2021-10-04 07:16:01 +00:00
parent dcf58b99a6
commit f1da6cb1b2
12 changed files with 344 additions and 62 deletions
--- a/pkg/manager/manager.go
+++ b/pkg/manager/manager.go
@@ -97,6 +97,8 @@ func Initialize() *singleton {
 					panic(err)
 				}
 			}
+
+			initSecurity(cfg)
 		} else {
 			cfgFile := cfg.GetConfigFile()
 			if cfgFile != "" {
@@ -125,6 +127,12 @@ func Initialize() *singleton {
 	return instance
 }

+func initSecurity(cfg *config.Instance) {
+	if err := session.CheckExternalAccessTripwire(cfg); err != nil {
+		session.LogExternalAccessError(*err)
+	}
+}
+
 func initProfiling(cpuProfilePath string) {
 	if cpuProfilePath == "" {
 		return