1786
|
1 |
#summary Granular remote host blacklisting plugin |
|
2 |
#labels Stage-Stable |
|
3 |
|
|
4 |
= Details = |
|
5 |
|
|
6 |
As often it's undesiderable to employ only whitelisting logics in public environments, this module let's you more selectively |
|
7 |
restrict access to your hosts (component or server host) either disallowing access completely (with optional exceptions) or |
|
8 |
blacklisting certain sources. |
|
9 |
|
|
10 |
= Usage = |
|
11 |
|
|
12 |
Copy the plugin into your prosody's modules directory. |
|
13 |
And add it between your enabled modules into the global section (modules_enabled): |
|
14 |
|
|
15 |
* The plugin can work either by blocking all remote access (s2s) to a certain resource with optional exceptions (useful for components) |
|
16 |
* Or by selectively blocking certain remote hosts through blacklisting (by using host_guard_selective and host_guard_blacklisting) |
|
17 |
|
|
18 |
= Configuration = |
|
19 |
|
|
20 |
|| *Option name* || *Description* || |
|
21 |
|| host_guard_blockall || A list of local hosts to protect from incoming s2s || |
|
22 |
|| host_guard_blockall_exceptions || A list of remote hosts that are always allowed to access hosts listed in host_guard_blockall || |
|
23 |
|| host_guard_selective || A list of local hosts to allow selective filtering (blacklist) of incoming s2s connections || |
|
24 |
|| host_guard_blacklist || A blacklist of remote hosts that are not allowed to access hosts listed in host_guard_selective || |
|
25 |
|
|
26 |
== Example == |
|
27 |
<code language="lua"> |
|
28 |
host_guard_blockall = { "no_access.yourhost.com", "no_access2.yourhost.com" } -- insert here the local hosts where you want to forbid all remote traffic to. |
|
29 |
host_guard_blockall_exceptions = { "i_can_access.no_access.yourhost.com" } -- optional exceptions for the above. |
|
30 |
host_guard_selective = { "no_access_from_blsted.myhost.com", "no_access_from_blsted.mycomponent.com" } -- insert here the local hosts where you want to employ blacklisting. |
|
31 |
host_guard_blacklist = { "remoterogueserver.com", "remoterogueserver2.com" } -- above option/mode mandates the use of a blacklist, you may blacklist remote servers here. |
|
32 |
</code> |
|
33 |
|
|
34 |
The above is updated when the server configuration is reloaded so that you don't need to restart the server. |
|
35 |
|
|
36 |
= Compatibility = |
|
37 |
|
|
38 |
* Works with 0.8.x, successive versions and trunk. |