ambiser
/
openvidu
mirror of https://github.com/OpenVidu/openvidu.git
8
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

proxy ip restrictions added

pull/457/head
OscarSotoSanchez 2020-04-30 14:27:40 +02:00
parent a922b95d95
commit cd2f472034
9 changed files with 271 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
openvidu-server/docker/openvidu-docker-compose/.env
View File

@ -40,23 +40,23 @@ LETSENCRYPT_EMAIL=user@example.com
# HTTPS_PORT=443 # HTTPS_PORT=443
# Access restrictions # Access restrictions
# In this section you will be able to restrict the ips from which you can access to # In this section you will be able to restrict the IPs from which you can access to
# Openvidu API and the Administration Panel # Openvidu API and the Administration Panel
# WARNING! If you touch this configuration you can lose access to the platform from some IPs, # WARNING! If you touch this configuration you can lose access to the platform from some IPs.
# use it carefully. # Use it carefully.
# This section limits access to the /dashboard and /inspector page. # This section limits access to the /dashboard (OpenVidu CE) and /inspector (OpenVidu Pro) pages.
# The form for a single IP or RANGE is: # The form for a single IP or an IP range is:
# ALLOWED_ACCESS_TO_DASHBOARD=198.51.100.1 and ALLOWED_ACCESS_TO_DASHBOARD=198.51.100.1/24 # ALLOWED_ACCESS_TO_DASHBOARD=198.51.100.1 and ALLOWED_ACCESS_TO_DASHBOARD=198.51.100.0/24
# To limit multiple IPs or RANGESs, separate by commas: # To limit multiple IPs or IP ranges, separate by commas like this:
# ALLOWED_ACCESS_TO_DASHBOARD=198.51.100.1, 198.51.100.1/24 # ALLOWED_ACCESS_TO_DASHBOARD=198.51.100.1, 198.51.100.0/24
# ALLOWED_ACCESS_TO_DASHBOARD= # ALLOWED_ACCESS_TO_DASHBOARD=
# This section limits access to the Openvidu API. # This section limits access to the Openvidu REST API.
# The form for a single IP or RANGE is: # The form for a single IP or an IP range is:
# ALLOWED_ACCESS_TO_RESTAPI=198.51.100.1 and ALLOWED_ACCESS_TO_RESTAPI=198.51.100.1/24 # ALLOWED_ACCESS_TO_RESTAPI=198.51.100.1 and ALLOWED_ACCESS_TO_RESTAPI=198.51.100.0/24
# To limit multiple IPs or RANGEs, separate by commas: # To limit multiple IPs or or IP ranges, separate by commas like this:
# ALLOWED_ACCESS_TO_RESTAPI=198.51.100.1, 198.51.100.1/24 # ALLOWED_ACCESS_TO_RESTAPI=198.51.100.1, 198.51.100.0/24
# ALLOWED_ACCESS_TO_RESTAPI= # ALLOWED_ACCESS_TO_RESTAPI=
# Whether to enable recording module or not # Whether to enable recording module or not

2
openvidu-server/docker/openvidu-docker-compose/docker-compose.yml
View File

@ -67,7 +67,7 @@ services:
- MAX_PORT=65535 - MAX_PORT=65535
nginx: nginx:
image: openvidu/openvidu-proxy:2.0.0-beta1 image: openvidu/openvidu-proxy:2.0.0-beta2
restart: on-failure restart: on-failure
network_mode: host network_mode: host
volumes: volumes:

11
openvidu-server/docker/openvidu-proxy/Dockerfile
View File

@ -1,19 +1,24 @@
FROM nginx:1.18.0-alpine FROM nginx:1.18.0-alpine
# Install certbot # Install required software
RUN apk update && \ RUN apk update && \
apk add bash && \
apk add certbot && \ apk add certbot && \
apk add openssl && \ apk add openssl && \
apk add apache2-utils && \ apk add apache2-utils && \
apk add ipcalc && \
rm -rf /var/cache/apk/* rm -rf /var/cache/apk/*
# Default nginx conf # Default nginx conf
COPY ./default.conf /etc/nginx/conf.d/default.conf COPY ./default.conf /etc/nginx/conf.d/default.conf
COPY ./default_nginx_conf /default_nginx_conf COPY ./default_nginx_conf /default_nginx_conf
# Entrypoint # Entrypoint and discover public ip scripts
COPY ./discover_my_public_ip.sh /usr/local/bin
COPY ./entrypoint.sh /usr/local/bin COPY ./entrypoint.sh /usr/local/bin
RUN mkdir -p /var/www/certbot && \ RUN mkdir -p /var/www/certbot && \
chmod +x /usr/local/bin/entrypoint.sh chmod +x /usr/local/bin/entrypoint.sh && \
chmod +x /usr/local/bin/discover_my_public_ip.sh
CMD /usr/local/bin/entrypoint.sh CMD /usr/local/bin/entrypoint.sh

19
openvidu-server/docker/openvidu-proxy/default_nginx_conf/ce/default-app-without-demos.conf
View File

@ -46,6 +46,13 @@ server {
# proxy_pass http://yourapp; # Openvidu call by default # proxy_pass http://yourapp; # Openvidu call by default
#} #}
# Openvidu Admin Panel
location /dashboard {
{rules_access_dashboard}
deny all;
proxy_pass http://openviduserver;
}
# Openvidu Server # Openvidu Server
location /layouts/custom { location /layouts/custom {
rewrite ^/layouts/custom/(.*)$ /custom-layout/$1 break; rewrite ^/layouts/custom/(.*)$ /custom-layout/$1 break;
@ -57,6 +64,8 @@ server {
} }
location /api { location /api {
{rules_acess_api}
deny all;
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
@ -65,10 +74,14 @@ server {
} }
location /info { location /info {
{rules_access_dashboard}
deny all;
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
location /config { location /config {
{rules_acess_api}
deny all;
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
@ -77,10 +90,8 @@ server {
} }
location /cdr { location /cdr {
proxy_pass http://openviduserver; {rules_acess_api}
} deny all;
location /dashboard {
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
} }

19
openvidu-server/docker/openvidu-proxy/default_nginx_conf/ce/default-app.conf
View File

@ -46,6 +46,13 @@ server {
proxy_pass http://yourapp; # Openvidu call by default proxy_pass http://yourapp; # Openvidu call by default
} }
# Openvidu Admin Panel
location /dashboard {
{rules_access_dashboard}
deny all;
proxy_pass http://openviduserver;
}
# Openvidu Server # Openvidu Server
location /layouts/custom { location /layouts/custom {
rewrite ^/layouts/custom/(.*)$ /custom-layout/$1 break; rewrite ^/layouts/custom/(.*)$ /custom-layout/$1 break;
@ -57,6 +64,8 @@ server {
} }
location /api { location /api {
{rules_acess_api}
deny all;
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
@ -65,10 +74,14 @@ server {
} }
location /info { location /info {
{rules_access_dashboard}
deny all;
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
location /config { location /config {
{rules_acess_api}
deny all;
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
@ -77,10 +90,8 @@ server {
} }
location /cdr { location /cdr {
proxy_pass http://openviduserver; {rules_acess_api}
} deny all;
location /dashboard {
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
} }

42
openvidu-server/docker/openvidu-proxy/default_nginx_conf/pro/default-app-without-demos.conf
View File

@ -72,8 +72,23 @@ server {
# Welcome # Welcome
root /var/www/html; root /var/www/html;
# Kibana panel # Openvidu Admin Panel
location /dashboard {
{rules_access_dashboard}
deny all;
rewrite ^/dashboard/(.*)$ /$1 break;
proxy_pass http://openviduserver/;
}
location /inspector {
{rules_access_dashboard}
deny all;
proxy_pass http://openviduserver;
}
location /kibana { location /kibana {
{rules_access_dashboard}
deny all;
auth_basic "Openvidu Monitoring"; auth_basic "Openvidu Monitoring";
auth_basic_user_file /etc/nginx/kibana.htpasswd; auth_basic_user_file /etc/nginx/kibana.htpasswd;
@ -92,6 +107,8 @@ server {
} }
location /api { location /api {
{rules_acess_api}
deny all;
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
@ -100,10 +117,14 @@ server {
} }
location /info { location /info {
{rules_access_dashboard}
deny all;
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
location /config { location /config {
{rules_acess_api}
deny all;
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
@ -111,29 +132,28 @@ server {
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
location /dashboard {
rewrite ^/dashboard/(.*)$ /$1 break;
proxy_pass http://openviduserver/;
}
# Openvidu Server Pro
location /cdr { location /cdr {
{rules_acess_api}
deny all;
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
# Openvidu Server Pro
location /pro { location /pro {
{rules_acess_api}
deny all;
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
location /api-login { location /api-login {
{rules_acess_api}
deny all;
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
location /elasticsearch { location /elasticsearch {
proxy_pass http://openviduserver; {rules_acess_api}
} deny all;
location /inspector {
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
} }

42
openvidu-server/docker/openvidu-proxy/default_nginx_conf/pro/default.conf
View File

@ -82,8 +82,23 @@ server {
proxy_pass http://yourapp; # Openvidu call by default proxy_pass http://yourapp; # Openvidu call by default
} }
# Kibana panel # Openvidu Admin Panel
location /dashboard {
{rules_access_dashboard}
deny all;
rewrite ^/dashboard/(.*)$ /$1 break;
proxy_pass http://openviduserver/;
}
location /inspector {
{rules_access_dashboard}
deny all;
proxy_pass http://openviduserver;
}
location /kibana { location /kibana {
{rules_access_dashboard}
deny all;
auth_basic "Openvidu Monitoring"; auth_basic "Openvidu Monitoring";
auth_basic_user_file /etc/nginx/kibana.htpasswd; auth_basic_user_file /etc/nginx/kibana.htpasswd;
@ -102,6 +117,8 @@ server {
} }
location /api { location /api {
{rules_acess_api}
deny all;
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
@ -110,10 +127,14 @@ server {
} }
location /info { location /info {
{rules_access_dashboard}
deny all;
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
location /config { location /config {
{rules_acess_api}
deny all;
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
@ -121,29 +142,28 @@ server {
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
location /dashboard {
rewrite ^/dashboard/(.*)$ /$1 break;
proxy_pass http://openviduserver/;
}
# Openvidu Server Pro
location /cdr { location /cdr {
{rules_acess_api}
deny all;
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
# Openvidu Server Pro
location /pro { location /pro {
{rules_acess_api}
deny all;
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
location /api-login { location /api-login {
{rules_acess_api}
deny all;
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
location /elasticsearch { location /elasticsearch {
proxy_pass http://openviduserver; {rules_acess_api}
} deny all;
location /inspector {
proxy_pass http://openviduserver; proxy_pass http://openviduserver;
} }
} }

47
openvidu-server/docker/openvidu-proxy/discover_my_public_ip.sh Executable file
View File

@ -0,0 +1,47 @@
#!/bin/bash
# Check if a txt is a valid ip
function valid_ip()
{
local ip=$1
local stat=1
if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
OIFS=$IFS
IFS='.'
ip=($ip)
IFS=$OIFS
[[ ${ip[0]} -le 255 && ${ip[1]} -le 255 \
&& ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
stat=$?
fi
return $stat
}
# Services to get public ip
SERVICES=(
"curl --silent -sw :%{http_code} ipv4.icanhazip.com"
"curl --silent -sw :%{http_code} ifconfig.me"
"curl --silent -sw :%{http_code} -4 ifconfig.co"
"curl --silent -sw :%{http_code} ipecho.net/plain"
"curl --silent -sw :%{http_code} ipinfo.io/ip"
"curl --silent -sw :%{http_code} checkip.amazonaws.com"
"curl --silent -sw :%{http_code} v4.ident.me"
)
# Get public ip
for service in "${SERVICES[@]}"; do
RUN_COMMAND=$($service | tr -d '[:space:]')
IP=$(echo "$RUN_COMMAND" | cut -d':' -f1)
HTTP_CODE=$(echo "$RUN_COMMAND" | cut -d':' -f2)
if [ "$HTTP_CODE" == "200" ]; then
if valid_ip "$IP"; then
printf "%s" "$IP"
exit 0
fi
fi
done
printf "error"
exit 0

110
openvidu-server/docker/openvidu-proxy/entrypoint.sh
View File

@ -2,6 +2,8 @@
[ -z "${PROXY_HTTP_PORT}" ] && export PROXY_HTTP_PORT=80 [ -z "${PROXY_HTTP_PORT}" ] && export PROXY_HTTP_PORT=80
[ -z "${PROXY_HTTPS_PORT}" ] && export PROXY_HTTPS_PORT=443 [ -z "${PROXY_HTTPS_PORT}" ] && export PROXY_HTTPS_PORT=443
[ -z "${ALLOWED_ACCESS_TO_DASHBOARD}" ] && export ALLOWED_ACCESS_TO_DASHBOARD=all
[ -z "${ALLOWED_ACCESS_TO_RESTAPI}" ] && export ALLOWED_ACCESS_TO_RESTAPI=all
# Start with default certbot conf # Start with default certbot conf
nginx -g "daemon on;" nginx -g "daemon on;"
@ -9,6 +11,8 @@ nginx -g "daemon on;"
# Show input enviroment variables # Show input enviroment variables
echo "Http Port: ${PROXY_HTTP_PORT}" echo "Http Port: ${PROXY_HTTP_PORT}"
echo "Https Port: ${PROXY_HTTPS_PORT}" echo "Https Port: ${PROXY_HTTPS_PORT}"
echo "Allowed Dashboard: ${ALLOWED_ACCESS_TO_DASHBOARD}"
echo "Allowed API: ${ALLOWED_ACCESS_TO_RESTAPI}"
echo "Domain name: ${DOMAIN_OR_PUBLIC_IP}" echo "Domain name: ${DOMAIN_OR_PUBLIC_IP}"
echo "Certificated: ${CERTIFICATE_TYPE}" echo "Certificated: ${CERTIFICATE_TYPE}"
echo "Letsencrypt Email: ${LETSENCRYPT_EMAIL}" echo "Letsencrypt Email: ${LETSENCRYPT_EMAIL}"
@ -108,6 +112,112 @@ sed -i "s/{domain_name}/${DOMAIN_OR_PUBLIC_IP}/g" /etc/nginx/conf.d/*
sed -i "s/{http_port}/${PROXY_HTTP_PORT}/g" /etc/nginx/conf.d/* sed -i "s/{http_port}/${PROXY_HTTP_PORT}/g" /etc/nginx/conf.d/*
sed -i "s/{https_port}/${PROXY_HTTPS_PORT}/g" /etc/nginx/conf.d/* sed -i "s/{https_port}/${PROXY_HTTPS_PORT}/g" /etc/nginx/conf.d/*
# NGINX access
LOCAL_NETWORKS=$(ip route list | grep -Eo '([0-9]*\.){3}[0-9]*/[0-9]*')
PUBLIC_IP=$(/usr/local/bin/discover_my_public_ip.sh)
valid_ip_v4()
{
if ipcalc "$1" \
| awk 'BEGIN{FS=":"; is_invalid=0} /^INVALID/ {is_invalid=1} END {exit is_invalid}'
then
return "$?"
else
return "$?"
fi
}
if [ "${ALLOWED_ACCESS_TO_DASHBOARD}" != "all" ]; then
IFS=','
for IP in $(echo "${ALLOWED_ACCESS_TO_DASHBOARD}" | tr -d '[:space:]')
do
if valid_ip_v4 "$IP"; then
if [ -z "${RULES_DASHBOARD}" ]; then
RULES_DASHBOARD="allow $IP;"
else
if ! echo "${RULES_DASHBOARD}" | grep -q "$IP"; then
RULES_DASHBOARD="${RULES_DASHBOARD}{new_line}allow $IP;"
fi
fi
if [ -z "${RULES_RESTAPI}" ]; then
RULES_RESTAPI="allow $IP;"
else
if ! echo "${RULES_RESTAPI}" | grep -q "$IP"; then
RULES_RESTAPI="${RULES_RESTAPI}{new_line}allow $IP;"
fi
fi
else
echo "Ip or range $IP is not valid"
fi
done
else
RULES_DASHBOARD="allow all;"
fi
if [ "${ALLOWED_ACCESS_TO_RESTAPI}" != "all" ]; then
IFS=','
for IP in $(echo "${ALLOWED_ACCESS_TO_RESTAPI}" | tr -d '[:space:]')
do
if valid_ip_v4 "$IP"; then
if [ -z "${RULES_RESTAPI}" ]; then
RULES_RESTAPI="allow $IP;"
else
if ! echo "${RULES_RESTAPI}" | grep -q "$IP"; then
RULES_RESTAPI="${RULES_RESTAPI}{new_line}allow $IP;"
fi
fi
else
echo "Ip or range $IP is not valid"
fi
done
else
RULES_RESTAPI="allow all;"
fi
if [ "${RULES_DASHBOARD}" != "allow all;" ]; then
if ! echo "${RULES_DASHBOARD}" | grep -q "$PUBLIC_IP" && valid_ip_v4 "$PUBLIC_IP"; then
RULES_DASHBOARD="${RULES_DASHBOARD}{new_line}allow $PUBLIC_IP;"
fi
if ! echo "${RULES_DASHBOARD}" | grep -q "127.0.0.1"; then
RULES_DASHBOARD="${RULES_DASHBOARD}{new_line}allow 127.0.0.1;"
fi
IFS=$'\n'
for IP in ${LOCAL_NETWORKS}
do
if ! echo "${RULES_DASHBOARD}" | grep -q "$IP" && valid_ip_v4 "$IP"; then
RULES_DASHBOARD="${RULES_DASHBOARD}{new_line}allow $IP;"
fi
done
fi
if [ "${RULES_RESTAPI}" != "allow all;" ]; then
if ! echo "${RULES_RESTAPI}" | grep -q "$PUBLIC_IP" && valid_ip_v4 "$PUBLIC_IP"; then
RULES_RESTAPI="${RULES_RESTAPI}{new_line}allow $PUBLIC_IP;"
fi
if ! echo "${RULES_DASHBOARD}" | grep -q "127.0.0.1"; then
RULES_DASHBOARD="${RULES_DASHBOARD}{new_line}allow 127.0.0.1;"
fi
IFS=$'\n'
for IP in ${LOCAL_NETWORKS}
do
if ! echo "${RULES_RESTAPI}" | grep -q "$IP" && valid_ip_v4 "$IP"; then
RULES_RESTAPI="${RULES_RESTAPI}{new_line}allow $IP;"
fi
done
fi
sed -i "s/{rules_access_dashboard}/$(echo "${RULES_DASHBOARD}" | sed 's#/#\\/#g')/g" /etc/nginx/conf.d/*
sed -i "s/{rules_acess_api}/$(echo "${RULES_RESTAPI}" | sed 's#/#\\/#g')/g" /etc/nginx/conf.d/*
sed -i "s/{new_line}/\n\t/g" /etc/nginx/conf.d/* # New line
printf "Rules DASHBOARD: \n \t%s\n" "$(echo "${RULES_DASHBOARD}" | sed 's/{new_line}/\n\t/g')"
printf "Rules RESTAPI: \n \t%s\n" "$(echo "${RULES_RESTAPI}" | sed 's/{new_line}/\n\t/g')"
# Restart nginx service # Restart nginx service
nginx -s reload nginx -s reload