From d0e4b52ce67de63136c7be5575fd5bb1a9663d9a Mon Sep 17 00:00:00 2001
From: Ara Sadoyan <ara.sadoyan@netangels.net>
Date: Fri, 4 Jul 2025 15:06:05 +0200
Subject: [PATCH] Enable/Disable config API from config

---
 README.md              | 1 +
 etc/main.yaml          | 3 ++-
 src/utils/discovery.rs | 1 +
 src/utils/structs.rs   | 1 +
 src/web/bgservice.rs   | 1 +
 src/web/webserver.rs   | 9 +++++++++
 6 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 5581c95..c2e546e 100644
--- a/README.md
+++ b/README.md
@@ -87,6 +87,7 @@ Built on Rust, on top of **Cloudflare’s Pingora engine**, **Aralez** delivers
 | **master_key**                   | 5aeff7f9-7b94-447c-af60-e8c488544a3e | Master key for working with API server and JWT Secret generation                                 |
 | **file_server_folder**           | /some/local/folder                   | Optional, local folder to serve                                                                  |
 | **file_server_address**          | 127.0.0.1:3002                       | Optional, Local address for file server. Can set as upstream for public access                   |
+| **config_api_enabled**           | true                                 | Boolean to enable/disable remote config push capability                                          |
 
 ### 🌐 `upstreams.yaml`
 
diff --git a/etc/main.yaml b/etc/main.yaml
index a25ed2e..5a4b43b 100644
--- a/etc/main.yaml
+++ b/etc/main.yaml
@@ -7,6 +7,7 @@ upstream_keepalive_pool_size: 500 # Pool size for upstream keepalive connections
 pid_file: /tmp/aralez.pid # Path to PID file
 error_log: /tmp/aralez_err.log # Path to error log
 upgrade_sock: /tmp/aralez.sock # Path to socket file
+config_api_enabled: true # Boolean to enable/disable remote config push capability.
 config_address: 0.0.0.0:3000 # HTTP API address for pushing upstreams.yaml from remote location
 config_tls_address: 0.0.0.0:3001 # HTTP TLS API address for pushing upstreams.yaml from remote location
 config_tls_certificate: etc/server.crt # Mandatory if config_tls_address is set
@@ -20,4 +21,4 @@ upstreams_conf: etc/upstreams.yaml # the location of upstreams file
 log_level: info # info, warn, error, debug, trace, off
 hc_method: HEAD # Healthcheck method (HEAD, GET, POST are supported) UPPERCASE
 hc_interval: 2 #Interval for health checks in seconds
-master_key: 910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774 # Mater key for working with API server and JWT Secret
+master_key: 910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774 # Mater key for working with API server and JWT Secret
\ No newline at end of file
diff --git a/src/utils/discovery.rs b/src/utils/discovery.rs
index 58467ce..ec5568f 100644
--- a/src/utils/discovery.rs
+++ b/src/utils/discovery.rs
@@ -9,6 +9,7 @@ pub struct FromFileProvider {
     pub path: String,
 }
 pub struct APIUpstreamProvider {
+    pub config_api_enabled: bool,
     pub address: String,
     pub masterkey: String,
     pub tls_address: Option<String>,
diff --git a/src/utils/structs.rs b/src/utils/structs.rs
index c1dd26d..f6895d5 100644
--- a/src/utils/structs.rs
+++ b/src/utils/structs.rs
@@ -68,6 +68,7 @@ pub struct AppConfig {
     pub master_key: String,
     pub config_address: String,
     pub proxy_address_http: String,
+    pub config_api_enabled: bool,
     pub config_tls_address: Option<String>,
     pub config_tls_certificate: Option<String>,
     pub config_tls_key_file: Option<String>,
diff --git a/src/web/bgservice.rs b/src/web/bgservice.rs
index e213ba7..f52a4f7 100644
--- a/src/web/bgservice.rs
+++ b/src/web/bgservice.rs
@@ -36,6 +36,7 @@ impl BackgroundService for LB {
         let api_load = APIUpstreamProvider {
             address: self.config.config_address.clone(),
             masterkey: self.config.master_key.clone(),
+            config_api_enabled: self.config.config_api_enabled.clone(),
             tls_address: self.config.config_tls_address.clone(),
             tls_certificate: self.config.config_tls_certificate.clone(),
             tls_key_file: self.config.config_tls_key_file.clone(),
diff --git a/src/web/webserver.rs b/src/web/webserver.rs
index cfd2da9..116abb0 100644
--- a/src/web/webserver.rs
+++ b/src/web/webserver.rs
@@ -35,6 +35,7 @@ struct OutToken {
 struct AppState {
     master_key: String,
     config_sender: Sender<Configuration>,
+    config_api_enabled: bool,
 }
 
 #[allow(unused_mut)]
@@ -42,6 +43,7 @@ pub async fn run_server(config: &APIUpstreamProvider, mut to_return: Sender<Conf
     let app_state = AppState {
         master_key: config.masterkey.clone(),
         config_sender: to_return.clone(),
+        config_api_enabled: config.config_api_enabled.clone(),
     };
 
     let app = Router::new()
@@ -81,6 +83,13 @@ pub async fn run_server(config: &APIUpstreamProvider, mut to_return: Sender<Conf
 }
 
 async fn conf(State(mut st): State<AppState>, Query(params): Query<HashMap<String, String>>, content: String) -> impl IntoResponse {
+    if !st.config_api_enabled {
+        return Response::builder()
+            .status(StatusCode::FORBIDDEN)
+            .body(Body::from("Config remote API is disabled !\n"))
+            .unwrap();
+    }
+
     if let Some(s) = params.get("key") {
         if s.to_owned() == st.master_key.to_owned() {
             if let Some(serverlist) = crate::utils::parceyaml::load_configuration(content.as_str(), "content") {