From 67d13ebb1ed0e9ebf7ae46cb52cf9acf71905c00 Mon Sep 17 00:00:00 2001 From: travisladuke Date: Tue, 5 Mar 2024 08:11:58 -0800 Subject: [PATCH] Only allow localhost or allowManagementFrom ```sh travis@cattail> cat /Library/Application\ Support/ZeroTier/One/local.conf ~/repos/github.com/zerotier/ZeroTierOne { "settings": { "forceTcpRelay": true, "tcpFallbackRelay": "192.168.82.3/9443", "allowManagementFrom": ["192.168.82.0/24"] } } travis@cattail> curl localhost:9993/app/hello/ ~/repos/github.com/zerotier/ZeroTierOne hello travis@cattail> curl 192.168.82.193:9993/app/hello/ ~/repos/github.com/zerotier/ZeroTierOne hello travis@cattail> curl -v 10.123.15.208:9993/app/hello/ ~/repos/github.com/zerotier/ZeroTierOne * Trying 10.123.15.208:9993... * Connected to 10.123.15.208 (10.123.15.208) port 9993 (#0) > GET /app/hello/ HTTP/1.1 > Host: 10.123.15.208:9993 > User-Agent: curl/8.1.2 > Accept: */* > < HTTP/1.1 401 Unauthorized < Content-Length: 2 < Content-Type: application/json < Keep-Alive: timeout=5, max=5 < * Connection #0 to host 10.123.15.208 left intact {}% ``` --- service/OneService.cpp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/service/OneService.cpp b/service/OneService.cpp index d754db679..5d01301b0 100644 --- a/service/OneService.cpp +++ b/service/OneService.cpp @@ -1597,9 +1597,6 @@ class OneServiceImpl : public OneService setContent(req, res, "{}"); res.status = 401; return httplib::Server::HandlerResponse::Handled; - // Web Apps base path - } else if (req.path.rfind("/app", 0) == 0) { //starts with /app - return httplib::Server::HandlerResponse::Unhandled; } else { std::string r = req.remote_addr; InetAddress remoteAddr(r.c_str()); @@ -1627,6 +1624,11 @@ class OneServiceImpl : public OneService isAuth = true; } + // Web Apps base path + if (req.path.rfind("/app", 0) == 0) { //starts with /app + isAuth = true; + } + if (!isAuth) { // check auth token if (req.has_header("x-zt1-auth")) {