Only allow localhost or allowManagementFrom

```sh travis@cattail> cat /Library/Application\ Support/ZeroTier/One/local.conf ~/repos/github.com/zerotier/ZeroTierOne { "settings": { "forceTcpRelay": true, "tcpFallbackRelay": "192.168.82.3/9443", "allowManagementFrom": ["192.168.82.0/24"] } } travis@cattail> curl localhost:9993/app/hello/ ~/repos/github.com/zerotier/ZeroTierOne hello travis@cattail> curl 192.168.82.193:9993/app/hello/ ~/repos/github.com/zerotier/ZeroTierOne hello travis@cattail> curl -v 10.123.15.208:9993/app/hello/ ~/repos/github.com/zerotier/ZeroTierOne * Trying 10.123.15.208:9993... * Connected to 10.123.15.208 (10.123.15.208) port 9993 (#0) > GET /app/hello/ HTTP/1.1 > Host: 10.123.15.208:9993 > User-Agent: curl/8.1.2 > Accept: */* > < HTTP/1.1 401 Unauthorized < Content-Length: 2 < Content-Type: application/json < Keep-Alive: timeout=5, max=5 < * Connection #0 to host 10.123.15.208 left intact {}% ```
zerotier · Mar 5, 2024 · 67d13eb · 67d13eb
1 parent b295100
commit 67d13eb
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/service/OneService.cpp b/service/OneService.cpp
@@ -1597,9 +1597,6 @@ class OneServiceImpl : public OneService
 				setContent(req, res, "{}");
 				res.status = 401;
 				return httplib::Server::HandlerResponse::Handled;
-			// Web Apps base path
-			} else if (req.path.rfind("/app", 0) == 0) { //starts with /app
-				return httplib::Server::HandlerResponse::Unhandled;
 			} else {
 				std::string r = req.remote_addr;
 				InetAddress remoteAddr(r.c_str());
@@ -1627,6 +1624,11 @@ class OneServiceImpl : public OneService
 						isAuth = true;
 					}
 
+					// Web Apps base path
+					if (req.path.rfind("/app", 0) == 0) { //starts with /app
+						isAuth = true;
+					}
+
 					if (!isAuth) {
 						// check auth token
 						if (req.has_header("x-zt1-auth")) {