feat(dataproxy): added whitelist setting and feature for data proxies, closes #2626

2025-02-25 18:55:37 -06:00 · 2015-09-09 17:21:25 +02:00 · 2015-09-09 17:21:25 +02:00 · 9603dce469
commit 9603dce469
parent 13190f6f15
4 changed files with 33 additions and 11 deletions
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@ -121,6 +121,9 @@ cookie_remember_name = grafana_remember
 # disable gravatar profile images
 disable_gravatar = false

+# data source proxy whitelist (ip_or_domain:port seperated by spaces)
+data_source_proxy_whitelist =
+
 #################################### Users ####################################
 [users]
 # disable user signup / registration
--- a/conf/sample.ini
+++ b/conf/sample.ini
@ -3,7 +3,7 @@
 # Everything has defaults so you only need to uncomment things you want to
 # change

-# possible values : production, development    
+# possible values : production, development
 ; app_mode = production

 #################################### Paths ####################################
@ -117,6 +117,9 @@
 # disable gravatar profile images
 ;disable_gravatar = false

+# data source proxy whitelist (ip_or_domain:port seperated by spaces)
+;data_source_proxy_whitelist =
+
 #################################### Users ####################################
 [users]
 # disable user signup / registration
--- a/pkg/api/dataproxy.go
+++ b/pkg/api/dataproxy.go
@ -11,6 +11,7 @@ import (
 	"github.com/grafana/grafana/pkg/bus"
 	"github.com/grafana/grafana/pkg/middleware"
 	m "github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
 )

@ -24,30 +25,28 @@ var dataProxyTransport = &http.Transport{
 	TLSHandshakeTimeout: 10 * time.Second,
 }

-func NewReverseProxy(ds *m.DataSource, proxyPath string) *httputil.ReverseProxy {
-	target, _ := url.Parse(ds.Url)
-
+func NewReverseProxy(ds *m.DataSource, proxyPath string, targetUrl *url.URL) *httputil.ReverseProxy {
 	director := func(req *http.Request) {
-		req.URL.Scheme = target.Scheme
-		req.URL.Host = target.Host
-		req.Host = target.Host
+		req.URL.Scheme = targetUrl.Scheme
+		req.URL.Host = targetUrl.Host
+		req.Host = targetUrl.Host

 		reqQueryVals := req.URL.Query()

 		if ds.Type == m.DS_INFLUXDB_08 {
-			req.URL.Path = util.JoinUrlFragments(target.Path, "db/"+ds.Database+"/"+proxyPath)
+			req.URL.Path = util.JoinUrlFragments(targetUrl.Path, "db/"+ds.Database+"/"+proxyPath)
 			reqQueryVals.Add("u", ds.User)
 			reqQueryVals.Add("p", ds.Password)
 			req.URL.RawQuery = reqQueryVals.Encode()
 		} else if ds.Type == m.DS_INFLUXDB {
-			req.URL.Path = util.JoinUrlFragments(target.Path, proxyPath)
+			req.URL.Path = util.JoinUrlFragments(targetUrl.Path, proxyPath)
 			reqQueryVals.Add("db", ds.Database)
 			req.URL.RawQuery = reqQueryVals.Encode()
 			if !ds.BasicAuth {
 				req.Header.Add("Authorization", util.GetBasicAuthHeader(ds.User, ds.Password))
 			}
 		} else {
-			req.URL.Path = util.JoinUrlFragments(target.Path, proxyPath)
+			req.URL.Path = util.JoinUrlFragments(targetUrl.Path, proxyPath)
 		}

 		if ds.BasicAuth {
@ -72,11 +71,20 @@ func ProxyDataSourceRequest(c *middleware.Context) {
 		return
 	}

+	ds := query.Result
+	targetUrl, _ := url.Parse(ds.Url)
+	if len(setting.DataProxyWhiteList) > 0 {
+		if _, exists := setting.DataProxyWhiteList[targetUrl.Host]; !exists {
+			c.JsonApiErr(403, "Data proxy hostname and ip are not included in whitelist", nil)
+			return
+		}
+	}
+
 	if query.Result.Type == m.DS_CLOUDWATCH {
 		ProxyCloudWatchDataSourceRequest(c)
 	} else {
 		proxyPath := c.Params("*")
-		proxy := NewReverseProxy(&query.Result, proxyPath)
+		proxy := NewReverseProxy(&ds, proxyPath, targetUrl)
 		proxy.Transport = dataProxyTransport
 		proxy.ServeHTTP(c.RW(), c.Req.Request)
 	}
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@ -73,6 +73,7 @@ var (
 	CookieRememberName    string
 	DisableGravatar       bool
 	EmailCodeValidMinutes int
+	DataProxyWhiteList    map[string]bool

 	// User settings
 	AllowUserSignUp    bool
@ -378,6 +379,7 @@ func NewConfigContext(args *CommandLineArgs) {
 	EnableGzip = server.Key("enable_gzip").MustBool(false)
 	EnforceDomain = server.Key("enforce_domain").MustBool(false)

+	// read security settings
 	security := Cfg.Section("security")
 	SecretKey = security.Key("secret_key").String()
 	LogInRememberDays = security.Key("login_remember_days").MustInt()
@ -385,6 +387,12 @@ func NewConfigContext(args *CommandLineArgs) {
 	CookieRememberName = security.Key("cookie_remember_name").String()
 	DisableGravatar = security.Key("disable_gravatar").MustBool(true)

+	//  read data source proxy white list
+	DataProxyWhiteList = make(map[string]bool)
+	for _, hostAndIp := range security.Key("data_source_proxy_whitelist").Strings(" ") {
+		DataProxyWhiteList[hostAndIp] = true
+	}
+
 	// admin
 	AdminUser = security.Key("admin_user").String()
 	AdminPassword = security.Key("admin_password").String()