From 75dad1660af7948558ea6f543f7a895dab2c6b80 Mon Sep 17 00:00:00 2001 From: Bertrand Paquet Date: Mon, 15 Jul 2019 23:10:22 +0200 Subject: [PATCH] Add allowed cidrs in agent configuration --- agent/cmd/cmd.go | 1 + agent/cmd/config.go | 1 + config/agent/base.yaml | 5 +++++ nginx/config/agent.go | 6 +++--- 4 files changed, 10 insertions(+), 3 deletions(-) diff --git a/agent/cmd/cmd.go b/agent/cmd/cmd.go index 87dae0d46..0d78fbeca 100644 --- a/agent/cmd/cmd.go +++ b/agent/cmd/cmd.go @@ -183,6 +183,7 @@ func Run(flags *Flags) { } log.Fatal(nginx.Run(config.Nginx, map[string]interface{}{ + "allowed_cidrs": config.AllowedCidrs, "port": flags.AgentRegistryPort, "registry_server": nginx.GetServer( config.Registry.Docker.HTTP.Net, config.Registry.Docker.HTTP.Addr), diff --git a/agent/cmd/config.go b/agent/cmd/config.go index 81793ba7a..5ad368cdc 100644 --- a/agent/cmd/config.go +++ b/agent/cmd/config.go @@ -43,4 +43,5 @@ type Config struct { RegistryBackup string `yaml:"registry_backup"` Nginx nginx.Config `yaml:"nginx"` TLS httputil.TLSConfig `yaml:"tls"` + AllowedCidrs []string `yaml:"allowed_cidrs"` } diff --git a/config/agent/base.yaml b/config/agent/base.yaml index 7210ad4b6..69c183888 100644 --- a/config/agent/base.yaml +++ b/config/agent/base.yaml @@ -58,6 +58,11 @@ registry: peer_id_factory: addr_hash +# Allow agent to only serve localhost and Docker default bridge requests. +allowed_cidrs: + - 127.0.0.1 + - 172.17.0.1 + nginx: name: kraken-agent cache_dir: /var/cache/kraken/kraken-agent/nginx/ diff --git a/nginx/config/agent.go b/nginx/config/agent.go index 072897da8..457f6f8f4 100644 --- a/nginx/config/agent.go +++ b/nginx/config/agent.go @@ -23,9 +23,9 @@ upstream registry-backend { server { listen {{.port}}; - # Allow agent to only serve localhost and Docker default bridge requests. - allow 127.0.0.1; - allow 172.17.0.1; + {{range .allowed_cidrs}} + allow {{.}}; + {{end}} deny all; {{.client_verification}}