summaryrefslogtreecommitdiffabout
authorSergey Poznyakoff <gray@nxc.no>2017-08-17 13:28:26 (GMT)
committer Sergey Poznyakoff <gray@nxc.no>2017-08-17 14:31:22 (GMT)
commit41249de4eba7c7ab53849e511f3a59733244de9e (patch) (side-by-side diff)
tree56311e8632635e0fd9e968fc8ac2f9370bed370e
parentf25c77a5f9af8e0c4eb40dfae1683f383104ed3a (diff)
downloadnssync-41249de4eba7c7ab53849e511f3a59733244de9e.tar.gz
nssync-41249de4eba7c7ab53849e511f3a59733244de9e.tar.bz2
Fix libwrap usage
* src/server.c (nssync_mhd_acl): Don't use fromhost, since we don't have the connection descriptot. Instead set the socket methods explicitly
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--doc/nssync.texi28
-rw-r--r--src/server.c5
2 files changed, 31 insertions, 2 deletions
diff --git a/doc/nssync.texi b/doc/nssync.texi
index 22852c7..118b398 100644
--- a/doc/nssync.texi
+++ b/doc/nssync.texi
@@ -199,10 +199,12 @@ procedure. The wake-up interval is configured using the
@samp{server.wakeup} statement (@pxref{server.wakeup}). Default value
is 3600 (1 hour).
+@cindex REST API
The REST API provides a single endpoint: @samp{/nssync}. Two methods
are supported:
@table @asis
+@cindex POST, REST API
@item POST
A @samp{POST} request to the URI @samp{/nssync} schedules the
synchronization. The configuration statement @samp{server.delay}
@@ -247,11 +249,37 @@ if the error is a general one.
@end table
@end table
+@cindex GET, REST API
@item GET
Returns the status of the last synchronization. See above for the
format.
@end table
+@cindex libwrap
+@cindex TCP wrappers
+@findex /etc/hosts.allow
+@findex /etc/hosts.deny
+Access to the HTTP socket is controlled by TCP wrappers library, with
+server name @samp{nssync}. To make sure the socket is accessible only
+from trusted IP addresses, add the following line to your
+@file{/etc/hosts.allow} file:
+
+@example
+nssync: @var{ip-list}
+@end example
+
+@noindent
+where @var{ip-list} is a whitespace-separated list of IP addresses.
+Then add the following line to @file{/etc/hosts.deny} to make sure
+nobody else has access to the interface:
+
+@example
+nssync: ALL
+@end example
+
+@xref{hosts_access, format of host access control files,,hosts_access(5), hosts_access(5) man page}, for a detailed discussion
+of the host access control files.
+
In server mode, all diagnostics is reported via syslog.
@node Configuration File
diff --git a/src/server.c b/src/server.c
index a0b0312..f0e6169 100644
--- a/src/server.c
+++ b/src/server.c
@@ -88,8 +88,9 @@ nssync_mhd_acl(void *cls, const struct sockaddr *addr, socklen_t addrlen)
request_init(&req,
RQ_DAEMON, "nssync",
RQ_CLIENT_SIN, addr,
+ RQ_SERVER_SIN, cls,
NULL);
- fromhost(&req);
+ sock_methods(&req);
return hosts_access(&req) ? MHD_YES : MHD_NO;
}
@@ -328,7 +329,7 @@ nssync_server(void)
MHD_set_panic_func(nssync_mhd_panic, NULL);
mhd = MHD_start_daemon(MHD_USE_INTERNAL_POLLING_THREAD
| MHD_USE_ERROR_LOG, 0,
- nssync_mhd_acl, NULL,
+ nssync_mhd_acl, server_addr,
nssync_mhd_handler, NULL,
MHD_OPTION_LISTEN_SOCKET, fd,
MHD_OPTION_EXTERNAL_LOGGER, nssync_mhd_logger, NULL,

Return to:

Send suggestions and report system problems to the System administrator.