Enable/Disable config API from config

2026-04-29 22:38:36 +08:00 · 2025-07-04 15:06:05 +02:00
parent b552d24497
commit d0e4b52ce6
6 changed files with 15 additions and 1 deletions
--- a/README.md
+++ b/README.md
@@ -87,6 +87,7 @@ Built on Rust, on top of **Cloudflare’s Pingora engine**, **Aralez** delivers
 | **master_key**                   | 5aeff7f9-7b94-447c-af60-e8c488544a3e | Master key for working with API server and JWT Secret generation                                 |
 | **file_server_folder**           | /some/local/folder                   | Optional, local folder to serve                                                                  |
 | **file_server_address**          | 127.0.0.1:3002                       | Optional, Local address for file server. Can set as upstream for public access                   |
+| **config_api_enabled**           | true                                 | Boolean to enable/disable remote config push capability                                          |

 ### 🌐 `upstreams.yaml`

--- a/etc/main.yaml
+++ b/etc/main.yaml
@@ -7,6 +7,7 @@ upstream_keepalive_pool_size: 500 # Pool size for upstream keepalive connections
 pid_file: /tmp/aralez.pid # Path to PID file
 error_log: /tmp/aralez_err.log # Path to error log
 upgrade_sock: /tmp/aralez.sock # Path to socket file
+config_api_enabled: true # Boolean to enable/disable remote config push capability.
 config_address: 0.0.0.0:3000 # HTTP API address for pushing upstreams.yaml from remote location
 config_tls_address: 0.0.0.0:3001 # HTTP TLS API address for pushing upstreams.yaml from remote location
 config_tls_certificate: etc/server.crt # Mandatory if config_tls_address is set
@@ -20,4 +21,4 @@ upstreams_conf: etc/upstreams.yaml # the location of upstreams file
 log_level: info # info, warn, error, debug, trace, off
 hc_method: HEAD # Healthcheck method (HEAD, GET, POST are supported) UPPERCASE
 hc_interval: 2 #Interval for health checks in seconds
-master_key: 910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774 # Mater key for working with API server and JWT Secret
+master_key: 910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774 # Mater key for working with API server and JWT Secret
--- a/src/utils/discovery.rs
+++ b/src/utils/discovery.rs
@@ -9,6 +9,7 @@ pub struct FromFileProvider {
    pub path: String,
 }
 pub struct APIUpstreamProvider {
+    pub config_api_enabled: bool,
    pub address: String,
    pub masterkey: String,
    pub tls_address: Option<String>,
--- a/src/utils/structs.rs
+++ b/src/utils/structs.rs
@@ -68,6 +68,7 @@ pub struct AppConfig {
    pub master_key: String,
    pub config_address: String,
    pub proxy_address_http: String,
+    pub config_api_enabled: bool,
    pub config_tls_address: Option<String>,
    pub config_tls_certificate: Option<String>,
    pub config_tls_key_file: Option<String>,
--- a/src/web/bgservice.rs
+++ b/src/web/bgservice.rs
@@ -36,6 +36,7 @@ impl BackgroundService for LB {
        let api_load = APIUpstreamProvider {
            address: self.config.config_address.clone(),
            masterkey: self.config.master_key.clone(),
+            config_api_enabled: self.config.config_api_enabled.clone(),
            tls_address: self.config.config_tls_address.clone(),
            tls_certificate: self.config.config_tls_certificate.clone(),
            tls_key_file: self.config.config_tls_key_file.clone(),
--- a/src/web/webserver.rs
+++ b/src/web/webserver.rs
@@ -35,6 +35,7 @@ struct OutToken {
 struct AppState {
    master_key: String,
    config_sender: Sender<Configuration>,
+    config_api_enabled: bool,
 }

 #[allow(unused_mut)]
@@ -42,6 +43,7 @@ pub async fn run_server(config: &APIUpstreamProvider, mut to_return: Sender<Conf
    let app_state = AppState {
        master_key: config.masterkey.clone(),
        config_sender: to_return.clone(),
+        config_api_enabled: config.config_api_enabled.clone(),
    };

    let app = Router::new()
@@ -81,6 +83,13 @@ pub async fn run_server(config: &APIUpstreamProvider, mut to_return: Sender<Conf
 }

 async fn conf(State(mut st): State<AppState>, Query(params): Query<HashMap<String, String>>, content: String) -> impl IntoResponse {
+    if !st.config_api_enabled {
+        return Response::builder()
+            .status(StatusCode::FORBIDDEN)
+            .body(Body::from("Config remote API is disabled !\n"))
+            .unwrap();
+    }
+
    if let Some(s) = params.get("key") {
        if s.to_owned() == st.master_key.to_owned() {
            if let Some(serverlist) = crate::utils::parceyaml::load_configuration(content.as_str(), "content") {