Fix libwrap usage

* src/server.c (nssync_mhd_acl): Don't use fromhost, since we don't have the connection descriptot. Instead set the socket methods explicitly
author: Sergey Poznyakoff <gray@nxc.no> 2017-08-17 16:28:26 +0300
committer: Sergey Poznyakoff <gray@nxc.no> 2017-08-17 17:31:22 +0300
commit: 41249de4eba7c7ab53849e511f3a59733244de9e (patch)
tree: 56311e8632635e0fd9e968fc8ac2f9370bed370e
parent: f25c77a5f9af8e0c4eb40dfae1683f383104ed3a (diff)
download: nssync-41249de4eba7c7ab53849e511f3a59733244de9e.tar.gz
nssync-41249de4eba7c7ab53849e511f3a59733244de9e.tar.bz2
2 files changed, 31 insertions, 2 deletions
diff --git a/doc/nssync.texi b/doc/nssync.texi
index 22852c7..118b398 100644
--- a/doc/nssync.texi
+++ b/doc/nssync.texi
@@ -199,10 +199,12 @@ procedure.  The wake-up interval is configured using the
 @samp{server.wakeup} statement (@pxref{server.wakeup}).  Default value
 is 3600 (1 hour).
+@cindex REST API
 The REST API provides a single endpoint: @samp{/nssync}.  Two methods
 are supported:
 @table @asis
+@cindex POST, REST API
 @item POST
 A @samp{POST} request to the URI @samp{/nssync} schedules the
 synchronization. The configuration statement @samp{server.delay}
@@ -247,11 +249,37 @@ if the error is a general one.
 @end table
 @end table
+@cindex GET, REST API
 @item GET
 Returns the status of the last synchronization. See above for the
 format.
 @end table
+@cindex libwrap
+@cindex TCP wrappers
+@findex /etc/hosts.allow
+@findex /etc/hosts.deny
+Access to the HTTP socket is controlled by TCP wrappers library, with
+server name @samp{nssync}.  To make sure the socket is accessible only
+from trusted IP addresses, add the following line to your
+@file{/etc/hosts.allow} file:
+@example
+nssync: @var{ip-list}
+@end example
+@noindent
+where @var{ip-list} is a whitespace-separated list of IP addresses.
+Then add the following line to @file{/etc/hosts.deny} to make sure
+nobody else has access to the interface:
+@example
+nssync: ALL
+@end example
+@xref{hosts_access, format of host access control files,,hosts_access(5), hosts_access(5) man page}, for a detailed discussion
+of the host access control files.
 In server mode, all diagnostics is reported via syslog.
 @node Configuration File
diff --git a/src/server.c b/src/server.c
index a0b0312..f0e6169 100644
--- a/src/server.c
+++ b/src/server.c
@@ -88,8 +88,9 @@ nssync_mhd_acl(void *cls, const struct sockaddr *addr,  socklen_t addrlen)
        request_init(&req,
                     RQ_DAEMON, "nssync",
                     RQ_CLIENT_SIN, addr,
+                     RQ_SERVER_SIN, cls,
                     NULL);
-        fromhost(&req);
+        sock_methods(&req);
        return hosts_access(&req) ? MHD_YES : MHD_NO;
 }
@@ -328,7 +329,7 @@ nssync_server(void)
        MHD_set_panic_func(nssync_mhd_panic, NULL);
        mhd = MHD_start_daemon(MHD_USE_INTERNAL_POLLING_THREAD
                               | MHD_USE_ERROR_LOG, 0,
-                               nssync_mhd_acl, NULL,
+                               nssync_mhd_acl, server_addr,
                               nssync_mhd_handler, NULL,
                               MHD_OPTION_LISTEN_SOCKET, fd,
                               MHD_OPTION_EXTERNAL_LOGGER, nssync_mhd_logger, NULL,
author	Sergey Poznyakoff <gray@nxc.no>	2017-08-17 16:28:26 +0300
committer	Sergey Poznyakoff <gray@nxc.no>	2017-08-17 17:31:22 +0300
commit	41249de4eba7c7ab53849e511f3a59733244de9e (patch)
tree	56311e8632635e0fd9e968fc8ac2f9370bed370e
parent	f25c77a5f9af8e0c4eb40dfae1683f383104ed3a (diff)
download	nssync-41249de4eba7c7ab53849e511f3a59733244de9e.tar.gz nssync-41249de4eba7c7ab53849e511f3a59733244de9e.tar.bz2