New option to use and configure Prosody mod_firewall WIP (#97):

* new setting * new configuration screen for Peertube admins * include the mod_firewall module * load mod_firewall if enabled * sys admin can disable the firewall config editing by creating a special file on the disk * user documentation
2024-08-12 18:17:31 +02:00
parent 481f265a44
commit 8e99199f29
76 changed files with 7577 additions and 300 deletions
--- a/server/lib/prosody/config.ts
+++ b/server/lib/prosody/config.ts
@ -18,6 +18,7 @@ import { getRemoteServerInfosDir } from '../federation/storage'
 import { BotConfiguration } from '../configuration/bot'
 import { debugMucAdmins } from '../debug'
 import { ExternalAuthOIDC } from '../external-auth/oidc'
+import { listModFirewallFiles } from '../firewall/config'

 async function getWorkingDir (options: RegisterServerOptions): Promise<string> {
  const peertubeHelpers = options.peertubeHelpers
@ -139,7 +140,8 @@ async function getProsodyFilePaths (options: RegisterServerOptions): Promise<Pro
    execCtl,
    execCtlArgs,
    appImageToExtract,
-    appImageExtractPath
+    appImageExtractPath,
+    modFirewallFiles: path.resolve(dir, 'mod_firewall_config')
  }
 }

@ -185,7 +187,8 @@ async function getProsodyConfig (options: RegisterServerOptionsV5): Promise<Pros
    'auto-ban-anonymous-ip',
    'federation-dont-publish-remotely',
    'disable-channel-configuration',
-    'chat-terms'
+    'chat-terms',
+    'prosody-firewall-enabled'
  ])

  const valuesToHideInDiagnostic = new Map<string, string>()
@ -379,6 +382,13 @@ async function getProsodyConfig (options: RegisterServerOptionsV5): Promise<Pros

  config.usePoll()

+  if (settings['prosody-firewall-enabled'] === true) {
+    const modFirewallFiles = await listModFirewallFiles(options, paths.modFirewallFiles)
+    // We load the module, even if there is no configuration file.
+    // So we will be sure that a Prosody reload is enought to take into account any change.
+    config.useModFirewall(modFirewallFiles)
+  }
+
  config.useTestModule(apikey, testApiUrl)

  const debugMucAdminJids = debugMucAdmins(options)
--- a/server/lib/prosody/config/content.ts
+++ b/server/lib/prosody/config/content.ts
@ -553,6 +553,15 @@ class ProsodyConfigContent {
    this.muc.set('poll_string_vote_instructions', loc('poll_vote_instructions_xmpp'))
  }

+  /**
+   * Enable mod_firewall.
+   * @param files file paths to load (ordered)
+   */
+  useModFirewall (files: string[]): void {
+    this.global.add('modules_enabled', 'firewall')
+    this.global.set('firewall_scripts', files)
+  }
+
  addMucAdmins (jids: string[]): void {
    for (const jid of jids) {
      this.muc.add('admins', jid)
--- a/server/lib/prosody/config/paths.ts
+++ b/server/lib/prosody/config/paths.ts
@ -22,6 +22,7 @@ interface ProsodyFilePaths {
  execCtlArgs: string[]
  appImageToExtract?: string
  appImageExtractPath: string
+  modFirewallFiles: string
 }

 export {