Merge pull request #3851 from dondetir/feature/mi-http-security-hardening

bogdan-iancu · web-flow · commit 9efaa7aa113e · 2026-04-07T18:48:56.000+03:00
httpd: harden MI/HTTP interface with safe default and Basic Auth
diff --git a/modules/httpd/doc/httpd_admin.xml b/modules/httpd/doc/httpd_admin.xml
@@ -96,7 +96,8 @@
 		requests.
 		</para>
 		<para>
-		<emphasis>The default value is "*" </emphasis> (bind to all IPv6 and IPv4 interfaces).
+		<emphasis>The default value is "127.0.0.1" </emphasis> (binds to loopback only).
+		Use "*" to bind to all IPv6 and IPv4 interfaces.
 		</para>
 		<example>
 		<title>Set <varname>ip</varname> parameter</title>
@@ -271,6 +272,71 @@ modparam("httpd", "tls_key_file", "/etc/opensips/tls/server.key")
 ...
 modparam("httpd", "tls_ciphers", "SECURE256:+SECURE192:-VERS-ALL:+VERS-TLS1.2")
 ...
+</programlisting>
+		</example>
+	</section>
+	<section id="param_auth_realm" xreflabel="auth_realm">
+		<title><varname>auth_realm</varname> (string)</title>
+		<para>
+		The realm string to be used for HTTP Basic Authentication
+		challenges.  Only takes effect when both
+		<varname>auth_username</varname> and
+		<varname>auth_password</varname> are set.
+		</para>
+		<para>
+		<emphasis> The default value is "OpenSIPS MI".</emphasis>
+		</para>
+		<example>
+		<title>Set <varname>auth_realm</varname> parameter</title>
+		<programlisting format="linespecific">
+...
+modparam("httpd", "auth_realm", "OpenSIPS Management")
+...
+</programlisting>
+		</example>
+	</section>
+	<section id="param_auth_username" xreflabel="auth_username">
+		<title><varname>auth_username</varname> (string)</title>
+		<para>
+		The username for HTTP Basic Authentication.  When set together
+		with <varname>auth_password</varname>, all HTTP requests must
+		present valid credentials.  Requests without credentials or
+		with incorrect credentials receive a 401 Unauthorized response.
+		</para>
+		<para>
+		<emphasis> The default value is "" (authentication disabled).</emphasis>
+		</para>
+		<example>
+		<title>Set <varname>auth_username</varname> parameter</title>
+		<programlisting format="linespecific">
+...
+modparam("httpd", "auth_username", "admin")
+...
+</programlisting>
+		</example>
+	</section>
+	<section id="param_auth_password" xreflabel="auth_password">
+		<title><varname>auth_password</varname> (string)</title>
+		<para>
+		The password for HTTP Basic Authentication.  Must be set
+		together with <varname>auth_username</varname>.
+		</para>
+		<warning><para>
+		When using HTTP Basic Authentication, it is strongly
+		recommended to also enable TLS via
+		<varname>tls_cert_file</varname> and
+		<varname>tls_key_file</varname> to prevent credentials
+		from being transmitted in plaintext.
+		</para></warning>
+		<para>
+		<emphasis> The default value is "" (authentication disabled).</emphasis>
+		</para>
+		<example>
+		<title>Set <varname>auth_password</varname> parameter</title>
+		<programlisting format="linespecific">
+...
+modparam("httpd", "auth_password", "secretpass")
+...
 </programlisting>
 		</example>
 	</section>
diff --git a/modules/httpd/httpd.c b/modules/httpd/httpd.c
@@ -57,14 +57,17 @@ static mi_response_t *mi_list_root_path(const mi_params_t *params,
 						struct mi_handler *async_hdl);
 
 int port = 8888;
-str ip = {NULL, 0};
+str ip = {"127.0.0.1", 9};
 str buffer = {NULL, 0};
 unsigned int hd_conn_timeout_s = 30;
 str tls_cert_file = {NULL, 0};
 str tls_key_file = {NULL, 0};
 str tls_ciphers = {"SECURE256:+SECURE192:-VERS-ALL:+VERS-TLS1.2", 45};
 int post_buf_size = DEFAULT_POST_BUF_SIZE;
 int receive_buf_size = DEFAULT_POST_BUF_SIZE;
+str auth_realm = {"OpenSIPS MI", 11};
+str auth_username = {NULL, 0};
+str auth_password = {NULL, 0};
 struct httpd_cb *httpd_cb_list = NULL;
 
 char *httpd_receive_buff = NULL;
@@ -88,6 +91,9 @@ static const param_export_t params[] = {
 	{"tls_cert_file", STR_PARAM, &tls_cert_file.s},
 	{"tls_key_file", STR_PARAM,  &tls_key_file.s},
 	{"tls_ciphers", STR_PARAM, &tls_ciphers.s},
+	{"auth_realm", STR_PARAM, &auth_realm.s},
+	{"auth_username", STR_PARAM, &auth_username.s},
+	{"auth_password", STR_PARAM, &auth_password.s},
 	{NULL, 0, NULL}
 };
 
@@ -180,6 +186,23 @@ static int mod_init(void)
 		}
 	}
 
+	if (auth_realm.s)
+		auth_realm.len = strlen(auth_realm.s);
+	if (auth_username.s)
+		auth_username.len = strlen(auth_username.s);
+	if (auth_password.s)
+		auth_password.len = strlen(auth_password.s);
+
+	if ((auth_username.s && !auth_password.s) ||
+			(!auth_username.s && auth_password.s)) {
+		LM_ERR("both auth_username and auth_password must be set\n");
+		return -1;
+	}
+	if (auth_username.s && auth_username.len == 0) {
+		LM_ERR("auth_username cannot be empty\n");
+		return -1;
+	}
+
 	if (post_buf_size < MIN_POST_BUF_SIZE) {
 		LM_ERR("post_buf_size should be bigger then %d\n",
 			MIN_POST_BUF_SIZE);
diff --git a/modules/httpd/httpd_proc.c b/modules/httpd/httpd_proc.c
@@ -59,6 +59,9 @@ extern int post_buf_size;
 extern str tls_cert_file;
 extern str tls_key_file;
 extern str tls_ciphers;
+extern str auth_realm;
+extern str auth_username;
+extern str auth_password;
 extern struct httpd_cb *httpd_cb_list;
 static union sockaddr_union httpd_server_info;
 
@@ -71,6 +74,8 @@ static const str MI_HTTP_U_URL = str_init("<html><body>"
 "Unable to parse URL!</body></html>");
 static const str MI_HTTP_U_METHOD = str_init("<html><body>"
 "Unsupported HTTP request!</body></html>");
+static const str MI_HTTP_UNAUTH = str_init("<html><body>"
+"Unauthorized</body></html>");
 
 static char * load_file(char * );
 
@@ -464,6 +469,47 @@ MHD_RET answer_to_connection (void *cls, struct MHD_Connection *connection,
 
 	pr = *con_cls;
 	if(pr == NULL){
+		/* first call for this request -- check auth before allocating */
+		if (auth_username.s) {
+			char *user = NULL;
+			char *pass = NULL;
+
+			user = MHD_basic_auth_get_username_password(connection,
+				&pass);
+			if (!user || !pass ||
+					strlen(user) != auth_username.len ||
+					strlen(pass) != auth_password.len ||
+					memcmp(user, auth_username.s,
+						auth_username.len) != 0 ||
+					memcmp(pass, auth_password.s,
+						auth_password.len) != 0) {
+				LM_WARN("rejected unauthenticated HTTP request "
+					"for %s\n", url);
+				response = MHD_create_response_from_buffer(
+					MI_HTTP_UNAUTH.len,
+					(void *)MI_HTTP_UNAUTH.s,
+					MHD_RESPMEM_PERSISTENT);
+				ret = MHD_queue_basic_auth_fail_response(
+					connection, auth_realm.s, response);
+				MHD_destroy_response(response);
+#if MHD_VERSION >= 0x00093800
+				if (user) MHD_free(user);
+				if (pass) MHD_free(pass);
+#else
+				if (user) free(user);
+				if (pass) free(pass);
+#endif
+				return ret;
+			}
+#if MHD_VERSION >= 0x00093800
+			MHD_free(user);
+			MHD_free(pass);
+#else
+			free(user);
+			free(pass);
+#endif
+		}
+
 		pr = pkg_malloc(sizeof(struct post_request));
 		if(pr==NULL) {
 			LM_ERR("oom while allocating post_request structure\n");
