mirror of
https://github.com/freedombox/FreedomBox.git
synced 2026-04-15 09:51:21 +00:00
de2c246dbd
- Make sure a user might not run Privoxy as an open proxy, potentially giving
unwanted access to local resources. Only private IP classes are allowed to
connect.
Tests:
- Freshly install privoxy app. permit-access directives are set in the
configuration. Proxy works when tested with a private IP address with Firefox.
- Install privoxy app without the changes. Apply the changes, privoxy setup
should run. permit-access directives are set in the configuration. Proxy works
when tested with a private IP address with Firefox.
- Privoxy works when accessed with IPv4 address (such as 10.42.0.x) and IPv6
address (such as fe80:❌y:z%ve-fbx-testing).
[sunil: Use Spacevars augeus lens to edit the configuration file]
[sunil: Update IP ranges with auto-configuration, IPv6 addresses, etc.]
[sunil: Update description to mention that only local IPs are allowed]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
91 lines
2.6 KiB
Python
Executable File
91 lines
2.6 KiB
Python
Executable File
#!/usr/bin/python3
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
"""
|
|
Configuration helper for Privoxy server.
|
|
"""
|
|
|
|
import argparse
|
|
import pathlib
|
|
|
|
import augeas
|
|
|
|
from plinth import action_utils
|
|
|
|
PRIVOXY_CONF_PATH = pathlib.Path('/etc/privoxy/config')
|
|
|
|
|
|
def parse_arguments():
|
|
"""Return parsed command line arguments as dictionary."""
|
|
parser = argparse.ArgumentParser()
|
|
subparsers = parser.add_subparsers(dest='subcommand', help='Sub command')
|
|
|
|
subparsers.add_parser(
|
|
'pre-install',
|
|
help='Preseed debconf values before packages are installed')
|
|
subparsers.add_parser('setup', help='Perform post install steps')
|
|
|
|
subparsers.required = True
|
|
return parser.parse_args()
|
|
|
|
|
|
def subcommand_pre_install(_):
|
|
"""Preseed debconf values before packages are installed."""
|
|
action_utils.debconf_set_selections(
|
|
['privoxy privoxy/listen-address string [::]:8118'])
|
|
|
|
|
|
def subcommand_setup(_):
|
|
"""Setup Privoxy configuration after installing it."""
|
|
_restrict_access()
|
|
|
|
|
|
def _load_augeus():
|
|
"""Initialize Augeas."""
|
|
aug = augeas.Augeas(flags=augeas.Augeas.NO_LOAD +
|
|
augeas.Augeas.NO_MODL_AUTOLOAD)
|
|
aug.transform('Spacevars', str(PRIVOXY_CONF_PATH))
|
|
aug.set('/augeas/context', '/files' + str(PRIVOXY_CONF_PATH))
|
|
aug.load()
|
|
return aug
|
|
|
|
|
|
def _restrict_access():
|
|
"""Make sure Privoxy isn't available over the Internet."""
|
|
# https://en.wikipedia.org/wiki/localhost
|
|
# https://en.wikipedia.org/wiki/Private_network
|
|
# https://en.wikipedia.org/wiki/Link-local_address
|
|
# https://en.wikipedia.org/wiki/Unique_local_address
|
|
ip_ranges = [
|
|
'127.0.0.0/8', # IPv4 loopback address
|
|
'10.0.0.0/8', # IPv4 private address
|
|
'172.16.0.0/12', # IPv4 private address
|
|
'192.168.0.0/16', # IPv4 private address
|
|
'169.254.0.0/16', # IPv4 auto-configuration
|
|
'[::1]', # IPv4 loopback address
|
|
'[fc00::]/7', # IPv6 unique local addresses
|
|
'[fe80::]/10', # IPv6 auto-configuration
|
|
]
|
|
aug = _load_augeus()
|
|
for ip_range in ip_ranges:
|
|
matches = [
|
|
match for match in aug.match('permit-access')
|
|
if aug.get(match) == ip_range
|
|
]
|
|
if not any(matches):
|
|
aug.set('permit-access[last() + 1]', ip_range)
|
|
|
|
aug.save()
|
|
|
|
|
|
def main():
|
|
"""Parse arguments and perform all duties."""
|
|
arguments = parse_arguments()
|
|
|
|
subcommand = arguments.subcommand.replace('-', '_')
|
|
subcommand_method = globals()['subcommand_' + subcommand]
|
|
subcommand_method(arguments)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|