Commit 0ed6077d authored by Rafael Monnerat's avatar Rafael Monnerat

registry: new --authorized-origin option

The list of authorized IPs for private RPCs is now configurable.
This is required when the registry is not bound to localhost.
parent 5a377d05
......@@ -102,6 +102,9 @@ def main():
" 3=DEBUG, 4=TRACE. Use SIGUSR1 to reopen log.")
_('--min-protocol', default=version.min_protocol, type=int,
help="Reject nodes that are too old. Current is %s." % version.protocol)
_('--authorized-origin', action='append', default=['', '::1'],
help="Authorized IPs to access origin-restricted RPC.")
_ = parser.add_argument_group('routing').add_argument
_('--hello', type=int, default=15,
help="Hello interval in seconds, for both wired and wireless"
......@@ -238,13 +238,13 @@ class RegistryServer(object):
# (IOW, do the contrary of newPrefix)
self.timeout = not_after and not_after + GRACE_PERIOD
def handle_request(self, request, method, kw,
_localhost=('', '::1')):
def handle_request(self, request, method, kw):
m = getattr(self, method)
if hasattr(method, '_private'):
authorized_origin = self.config.authorized_origin
x_forwarded_for = request.headers.get('X-Forwarded-For')
if request.client_address[0] not in _localhost or \
x_forwarded_for and x_forwarded_for not in _localhost:
if request.client_address[0] not in authorized_origin or \
x_forwarded_for and x_forwarded_for not in authorized_origin:
return request.send_error(httplib.FORBIDDEN)
key = m.getcallargs(**kw).get('cn')
if key:
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment