Add option to make debugging queries private

[abligh]

Add an option to make debugging queries private, meaning only accepted from the loopback address. The debugging queries (i.e. _status, _health and possibly _country) contain information which may be either commercially sensitive or security sensitive. Therefore provide an option (-privatedebug) which if set does not return these unless the query comes from the loopback address.

[abh]

The _country query only makes sense from "real" users, I think (except if you debug by setting edns client subnet, I guess).

I think we need a similar option to add http basic auth to the http and websocket interface.

Would all these options fit better in the config file?

Ask

— Reply to this email directly or view it on GitHub.

[abligh]

Most of these comments are on the logto option (rather than the subject of this PR - `private-debug``). I'll handle them under that PR - sorry for giving you so many at once.

I think these are the comments relevant to this issue:

The _country query only makes sense from "real" users, I think (except if you debug by setting edns client subnet, I guess).

You are quite right. It's pretty pointless to disable this. Fixed in the next version I will push.

I think we need a similar option to add http basic auth to the http and websocket interface.

I think that's an orthogonal question. You can secure the http interface by making it bind to 127.0.0.1, which you do via the command line and is exactly what gave me the idea for this! I wouldn't consider a non-https service protected by basic auth secure anyway - as it can be snooped, whereas binding to 127.0.0.1 is fine. That's not to say adding basic auth would be a bad idea - just you don't need it to get security. Binding to 127.0.0.1 is also useful in that you can still access it with ssh forwarding.

So I don't think there's any need to address this in this PR.

Would all these options fit better in the config file?

I'd rather not to be honest - I think these are how the server is launched (effectively what it binds to and whether debugging is enabled), and I'd prefer not to change the config file in order to up the debugging level.

However, I did wonder whether this option should be enabled by default (i.e. make the option called publicdebug or similar), on the basis of better make it secure by default; I also wonder whether the http interface should bind to 127.0.0.1 by default rather than all interfaces for the same reason. I can do that in a subsequent commit if you like.

[abligh]

Fixed - new commit https://github.com/abligh/geodns/commit/f84d9abc4f36450a8b8f67081c6ad557be069751

[abligh]

Rebased

[abligh]

@abh : any chance you could take a look at this one - I think it's pretty uncontroversial.

[abligh]

This was merged by bf840c060dcce2bee244ec8e5e99a85b5d25f4b6 so closing.