From 4548eb8d118c75749a3916bde022ebe4b13a7ef4 Mon Sep 17 00:00:00 2001 From: Eugene Bujak Date: Tue, 18 Sep 2018 20:59:41 +0300 Subject: [PATCH 1/3] Implement simple basic auth. Closes #326. --- app.go | 2 +- config.go | 2 ++ control.go | 58 +++++++++++++++++++++++++++--------------------------- helpers.go | 40 +++++++++++++++++++++++++++++++++++++ 4 files changed, 72 insertions(+), 30 deletions(-) diff --git a/app.go b/app.go index 57e9ea56..b55e9863 100644 --- a/app.go +++ b/app.go @@ -119,7 +119,7 @@ func main() { runStatsCollectors() runFilterRefreshers() - http.Handle("/", http.FileServer(box)) + http.Handle("/", optionalAuthHandler(http.FileServer(box))) registerControlHandlers() err = startDNSServer() diff --git a/config.go b/config.go index 20142b42..02c0d147 100644 --- a/config.go +++ b/config.go @@ -21,6 +21,8 @@ type configuration struct { BindHost string `yaml:"bind_host"` BindPort int `yaml:"bind_port"` + AuthName string `yaml:"auth_name"` + AuthPass string `yaml:"auth_pass"` CoreDNS coreDNSConfig `yaml:"coredns"` Filters []filter `yaml:"filters"` UserRules []string `yaml:"user_rules"` diff --git a/control.go b/control.go index 070a52d2..e372cd59 100644 --- a/control.go +++ b/control.go @@ -1298,33 +1298,33 @@ func handleSafeSearchStatus(w http.ResponseWriter, r *http.Request) { } func registerControlHandlers() { - http.HandleFunc("/control/start", ensurePOST(handleStart)) - http.HandleFunc("/control/stop", ensurePOST(handleStop)) - http.HandleFunc("/control/restart", ensurePOST(handleRestart)) - http.HandleFunc("/control/status", ensureGET(handleStatus)) - http.HandleFunc("/control/stats", ensureGET(handleStats)) - http.HandleFunc("/control/stats_history", ensureGET(handleStatsHistory)) - http.HandleFunc("/control/stats_top", ensureGET(handleStatsTop)) - http.HandleFunc("/control/querylog", handleQueryLog) - http.HandleFunc("/control/querylog_enable", ensurePOST(handleQueryLogEnable)) - http.HandleFunc("/control/querylog_disable", ensurePOST(handleQueryLogDisable)) - http.HandleFunc("/control/set_upstream_dns", ensurePOST(handleSetUpstreamDNS)) - http.HandleFunc("/control/filtering/enable", ensurePOST(handleFilteringEnable)) - http.HandleFunc("/control/filtering/disable", ensurePOST(handleFilteringDisable)) - http.HandleFunc("/control/filtering/status", ensureGET(handleFilteringStatus)) - http.HandleFunc("/control/filtering/add_url", ensurePUT(handleFilteringAddURL)) - http.HandleFunc("/control/filtering/remove_url", ensureDELETE(handleFilteringRemoveURL)) - http.HandleFunc("/control/filtering/enable_url", ensurePOST(handleFilteringEnableURL)) - http.HandleFunc("/control/filtering/disable_url", ensurePOST(handleFilteringDisableURL)) - http.HandleFunc("/control/filtering/set_rules", ensurePUT(handleFilteringSetRules)) - http.HandleFunc("/control/filtering/refresh", ensurePOST(handleFilteringRefresh)) - http.HandleFunc("/control/safebrowsing/enable", ensurePOST(handleSafeBrowsingEnable)) - http.HandleFunc("/control/safebrowsing/disable", ensurePOST(handleSafeBrowsingDisable)) - http.HandleFunc("/control/safebrowsing/status", ensureGET(handleSafeBrowsingStatus)) - http.HandleFunc("/control/parental/enable", ensurePOST(handleParentalEnable)) - http.HandleFunc("/control/parental/disable", ensurePOST(handleParentalDisable)) - http.HandleFunc("/control/parental/status", ensureGET(handleParentalStatus)) - http.HandleFunc("/control/safesearch/enable", ensurePOST(handleSafeSearchEnable)) - http.HandleFunc("/control/safesearch/disable", ensurePOST(handleSafeSearchDisable)) - http.HandleFunc("/control/safesearch/status", ensureGET(handleSafeSearchStatus)) + http.HandleFunc("/control/start", optionalAuth(ensurePOST(handleStart))) + http.HandleFunc("/control/stop", optionalAuth(ensurePOST(handleStop))) + http.HandleFunc("/control/restart", optionalAuth(ensurePOST(handleRestart))) + http.HandleFunc("/control/status", optionalAuth(ensureGET(handleStatus))) + http.HandleFunc("/control/stats", optionalAuth(ensureGET(handleStats))) + http.HandleFunc("/control/stats_history", optionalAuth(ensureGET(handleStatsHistory))) + http.HandleFunc("/control/stats_top", optionalAuth(ensureGET(handleStatsTop))) + http.HandleFunc("/control/querylog", optionalAuth(ensureGET(handleQueryLog))) + http.HandleFunc("/control/querylog_enable", optionalAuth(ensurePOST(handleQueryLogEnable))) + http.HandleFunc("/control/querylog_disable", optionalAuth(ensurePOST(handleQueryLogDisable))) + http.HandleFunc("/control/set_upstream_dns", optionalAuth(ensurePOST(handleSetUpstreamDNS))) + http.HandleFunc("/control/filtering/enable", optionalAuth(ensurePOST(handleFilteringEnable))) + http.HandleFunc("/control/filtering/disable", optionalAuth(ensurePOST(handleFilteringDisable))) + http.HandleFunc("/control/filtering/status", optionalAuth(ensureGET(handleFilteringStatus))) + http.HandleFunc("/control/filtering/add_url", optionalAuth(ensurePUT(handleFilteringAddURL))) + http.HandleFunc("/control/filtering/remove_url", optionalAuth(ensureDELETE(handleFilteringRemoveURL))) + http.HandleFunc("/control/filtering/enable_url", optionalAuth(ensurePOST(handleFilteringEnableURL))) + http.HandleFunc("/control/filtering/disable_url", optionalAuth(ensurePOST(handleFilteringDisableURL))) + http.HandleFunc("/control/filtering/set_rules", optionalAuth(ensurePUT(handleFilteringSetRules))) + http.HandleFunc("/control/filtering/refresh", optionalAuth(ensurePOST(handleFilteringRefresh))) + http.HandleFunc("/control/safebrowsing/enable", optionalAuth(ensurePOST(handleSafeBrowsingEnable))) + http.HandleFunc("/control/safebrowsing/disable", optionalAuth(ensurePOST(handleSafeBrowsingDisable))) + http.HandleFunc("/control/safebrowsing/status", optionalAuth(ensureGET(handleSafeBrowsingStatus))) + http.HandleFunc("/control/parental/enable", optionalAuth(ensurePOST(handleParentalEnable))) + http.HandleFunc("/control/parental/disable", optionalAuth(ensurePOST(handleParentalDisable))) + http.HandleFunc("/control/parental/status", optionalAuth(ensureGET(handleParentalStatus))) + http.HandleFunc("/control/safesearch/enable", optionalAuth(ensurePOST(handleSafeSearchEnable))) + http.HandleFunc("/control/safesearch/disable", optionalAuth(ensurePOST(handleSafeSearchDisable))) + http.HandleFunc("/control/safesearch/status", optionalAuth(ensureGET(handleSafeSearchStatus))) } diff --git a/helpers.go b/helpers.go index 62e260e6..a7e60f77 100644 --- a/helpers.go +++ b/helpers.go @@ -51,6 +51,46 @@ func ensureDELETE(handler func(http.ResponseWriter, *http.Request)) func(http.Re return ensure("DELETE", handler) } +func optionalAuth(handler func(http.ResponseWriter, *http.Request)) func(http.ResponseWriter, *http.Request) { + return func(w http.ResponseWriter, r *http.Request) { + if config.AuthName == "" || config.AuthPass == "" { + handler(w, r) + return + } + user, pass, ok := r.BasicAuth() + if !ok || user != config.AuthName || pass != config.AuthPass { + w.Header().Set("WWW-Authenticate", `Basic realm="dnsfilter"`) + w.WriteHeader(http.StatusUnauthorized) + w.Write([]byte("Unauthorised.\n")) + return + } + handler(w, r) + } +} + +type authHandler struct { + handler http.Handler +} + +func (a *authHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { + if config.AuthName == "" || config.AuthPass == "" { + a.handler.ServeHTTP(w, r) + return + } + user, pass, ok := r.BasicAuth() + if !ok || user != config.AuthName || pass != config.AuthPass { + w.Header().Set("WWW-Authenticate", `Basic realm="dnsfilter"`) + w.WriteHeader(http.StatusUnauthorized) + w.Write([]byte("Unauthorised.\n")) + return + } + a.handler.ServeHTTP(w, r) +} + +func optionalAuthHandler(handler http.Handler) http.Handler { + return &authHandler{handler} +} + // -------------------------- // helper functions for stats // -------------------------- From b8213bf88a5b3f12faf4e38c5750851568cfa5ac Mon Sep 17 00:00:00 2001 From: Eugene Bujak Date: Wed, 19 Sep 2018 15:51:28 +0300 Subject: [PATCH 2/3] Update README to explain config file settings --- README.md | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b9393fd8..aff71ecf 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ sudo ./AdguardDNS Now open the browser and point it to http://localhost:3000/ to control AdGuard DNS server. -## Running without superuser +### Running without superuser You can run it without superuser privileges, but you need to instruct it to use other port rather than 53. You can do that by opening `AdguardDNS.yaml` and adding this line: ```yaml @@ -58,10 +58,36 @@ coredns: If the file does not exist, create it and put these two lines down. +### Additional configuration + +Open first execution, a file `AdguardDNS.yaml` will be created, with default values written in it. You can modify the file while AdGuard DNS is not running, otherwise any changes to the file will be lost because they will be overwritten by the server. + +Explanation of settings: + + * `bind_host` -- Web interface IP address to listen on + * `bind_port` -- Web interface IP port to listen on + * `auth_name` -- Web interface optional authorization username + * `auth_pass` -- Web interface optional authorization password + * `coredns` -- CoreDNS configuration section + * `port` -- DNS server port to listen on + * `filtering_enabled` -- Filtering of DNS requests based on filter lists + * `safebrowsing_enabled` -- Filtering of DNS requests based on safebrowsing + * `safesearch_enabled` -- Enforcing safe search when accessing search engines + * `parental_enabled` -- Filtering of DNS requests based on parental safety + * `parental_sensitivity` -- Age group for filtering based on parental safety + * `querylog_enabled` -- Query logging, also used to calculate top 50 clients, blocked domains and requested domains for stats + * `upstream_dns` -- List of upstream DNS servers + * `filters` -- List of filters, each filter has these values: + * `url` -- URL pointing to the filter contents + * `enabled` -- Enable/disable current filter + * `user_rules` -- User-defined filtering rules + +Removing an entry from settings file will reset it to default value. Deleting the file will reset all settings to default values. + ## Contributing You are welcome to fork this repository, make your changes and submit a pull request — https://github.com/AdguardTeam/AdguardDNS/pulls ## Reporting issues -If you come across any problem, or have a suggestion, head to [this page](https://github.com/AdguardTeam/AdguardDNS/issues) and click on the New issue button. +If you come across any problem, or have a suggestion, head to [this page](https://github.com/AdguardTeam/AdguardDNS/issues) and click on the `New issue` button. From ba56d6c01d7b241829d3115e1ce87241737cf571 Mon Sep 17 00:00:00 2001 From: Eugene Bujak Date: Wed, 19 Sep 2018 15:51:44 +0300 Subject: [PATCH 3/3] Reorganize config file. --- config.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/config.go b/config.go index 02c0d147..ee3d91df 100644 --- a/config.go +++ b/config.go @@ -38,20 +38,20 @@ type coreDNSConfig struct { FilteringEnabled bool `yaml:"filtering_enabled"` SafeBrowsingEnabled bool `yaml:"safebrowsing_enabled"` SafeSearchEnabled bool `yaml:"safesearch_enabled"` - QueryLogEnabled bool `yaml:"querylog_enabled"` ParentalEnabled bool `yaml:"parental_enabled"` ParentalSensitivity int `yaml:"parental_sensitivity"` - Pprof string `yaml:"pprof"` - Cache string `yaml:"cache"` - Prometheus string `yaml:"prometheus"` + QueryLogEnabled bool `yaml:"querylog_enabled"` + Pprof string `yaml:"-"` + Cache string `yaml:"-"` + Prometheus string `yaml:"-"` UpstreamDNS []string `yaml:"upstream_dns"` } type filter struct { - Enabled bool `json:"enabled"` URL string `json:"url"` - RulesCount int `json:"rules_count" yaml:"-"` Name string `json:"name" yaml:"-"` + Enabled bool `json:"enabled"` + RulesCount int `json:"rules_count" yaml:"-"` contents []byte LastUpdated time.Time `json:"last_updated" yaml:"-"` }