From 4a0a2ab9b3a21acbe1f90f9e1abce9c67089b5e1 Mon Sep 17 00:00:00 2001 From: Christophe Monniez Date: Thu, 18 Aug 2022 13:15:13 +0200 Subject: [PATCH] [IMP] runbot: add blacklist support Deny access to running builds by setting a white spaces separated list of ip's in `runbot.client.blacklist` config parameter. --- runbot/models/runbot.py | 16 +++++++++++++++- runbot/templates/nginx.xml | 6 ++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/runbot/models/runbot.py b/runbot/models/runbot.py index 499c6b00..a377d0bd 100644 --- a/runbot/models/runbot.py +++ b/runbot/models/runbot.py @@ -8,6 +8,7 @@ import subprocess import shutil from contextlib import contextmanager +from pathlib import Path from requests.exceptions import HTTPError from subprocess import CalledProcessError @@ -162,7 +163,7 @@ class Runbot(models.AbstractModel): if os.path.isfile(nginx_conf_path): with open(nginx_conf_path, 'r') as f: content = f.read() - if content != nginx_config: + if content != nginx_config or self._write_nginx_blacklist(): _logger.info('reload nginx') with open(nginx_conf_path, 'w') as f: f.write(str(nginx_config)) @@ -179,6 +180,19 @@ class Runbot(models.AbstractModel): else: _logger.warning('failed to start nginx - failed to kill orphan worker - oh well') + def _write_nginx_blacklist(self): + """ Build and write an nginx black list of ip adresses. + :returns: True if the file changed and thus nginx needs a reload + """ + ips = self.env['ir.config_parameter'].get_param('runbot.client.blacklist', default='') + if ips: + new_content = '\n'.join([f'deny {ip.strip()};' for ip in ips.split(' ')]) + blacklist_path = Path(self._root()) / 'nginx/blacklist.conf' + content = blacklist_path.exists() and blacklist_path.read_text() + if new_content != content: + blacklist_path.write_text() + return True + def _get_cron_period(self): """ Compute a randomized cron period with a 2 min margin below real cron timeout from config. diff --git a/runbot/templates/nginx.xml b/runbot/templates/nginx.xml index 8dadb519..078c9198 100644 --- a/runbot/templates/nginx.xml +++ b/runbot/templates/nginx.xml @@ -37,6 +37,12 @@ proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $real_scheme; proxy_set_header Host $host; +set_real_ip_from 127.0.0.1; +real_ip_header X-Forwarded-For; +real_ip_recursive on; + +include blacklist*.conf; + server { listen 8080 default; location /runbot/static/ {