--- a/mod_http_health/README.md Fri Nov 03 23:26:57 2023 +0100
+++ b/mod_http_health/README.md Sun Nov 05 19:22:46 2023 +0100
@@ -12,6 +12,22 @@
}
```
+## Access control
+
+By default only access via localhost is allowed. This can be adjusted with `http_health_allow_ips`. The following example shows the default:
+
+```
+http_health_allow_ips = { "::1"; "127.0.0.1" }
+```
+
+Access can also be granted to one IP range via CIDR notation:
+
+```
+http_health_allow_cidr = "172.17.2.0/24"
+```
+
+The default for `http_health_allow_cidr` is empty.
+
# Details
Adds a `http://your.prosody.example:5280/health` endpoint that returns either HTTP status code 200 when all appears to be good or 500 when any module
--- a/mod_http_health/mod_http_health.lua Fri Nov 03 23:26:57 2023 +0100
+++ b/mod_http_health/mod_http_health.lua Sun Nov 05 19:22:46 2023 +0100
@@ -1,11 +1,29 @@
module:set_global();
+local ip = require "util.ip";
local modulemanager = require "core.modulemanager";
+local permitted_ips = module:get_option_set("http_health_allow_ips", { "::1", "127.0.0.1" });
+local permitted_cidr = module:get_option_string("http_health_allow_cidr");
+
+local function is_permitted(request)
+ local ip_raw = request.ip;
+ if permitted_ips:contains(ip_raw) or
+ (permitted_cidr and ip.match(ip.new_ip(ip_raw), ip.parse_cidr(permitted_cidr))) then
+ return true;
+ end
+ return false;
+end
+
module:provides("http", {
route = {
- GET = function()
+ GET = function(event)
+ local request = event.request;
+ if not is_permitted(request) then
+ return 403; -- Forbidden
+ end
+
for host in pairs(prosody.hosts) do
local mods = modulemanager.get_modules(host);
for _, mod in pairs(mods) do