Commits

A Kruger committed 3e52624

Run a web service that only responds when the request comes through a tunnel.

  • Participants
  • Parent commits 6ae6bee
  • Branches check-tunnel

Comments (0)

Files changed (3)

File Automation/psi_ops_install.py

     # tunneled web requests
     ['''
     -A INPUT -i lo -d %s -p tcp -m state --state NEW -m tcp --dport %s -j ACCEPT'''
-            % (str(s.internal_ip_address), str(s.web_server_port)) for s in servers]) + '''
+            % (str(s.internal_ip_address), str(s.web_server_port)) for s in servers]) + ''.join(
+    ['''
+    -A INPUT -i lo -d %s -p tcp -m state --state NEW -m tcp --dport %s -j ACCEPT'''
+            % (str(s.internal_ip_address), str(psi_config.TUNNEL_CHECK_SERVICE_PORT)) for s in servers]) + '''
     -A INPUT -d 127.0.0.0/8 ! -i lo -j DROP
     -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
     -A INPUT -p tcp -m state --state NEW -m tcp --dport %s -j ACCEPT''' % (host.ssh_port,) + ''.join(
     ['''
     -A OUTPUT -d {0} -o lo -p tcp -m tcp --dport {1} -j ACCEPT
     -A OUTPUT -s {0} -o lo -p tcp -m tcp --sport {1} -j ACCEPT'''.format(
-            str(s.internal_ip_address), str(s.web_server_port)) for s in servers]) + '''
+            str(s.internal_ip_address), str(s.web_server_port)) for s in servers]) + ''.join(
+    ['''
+    -A OUTPUT -d {0} -o lo -p tcp -m tcp --dport {1} -j ACCEPT
+    -A OUTPUT -s {0} -o lo -p tcp -m tcp --sport {1} -j ACCEPT'''.format(
+            str(s.internal_ip_address), str(psi_config.TUNNEL_CHECK_SERVICE_PORT)) for s in servers]) + '''            
     -A OUTPUT -o lo -p tcp -m tcp --dport 7300 -j ACCEPT
     -A OUTPUT -o lo -p tcp -m tcp --dport 6379 -m owner --uid-owner root -j ACCEPT
     -A OUTPUT -o lo -p tcp -m tcp --dport 6000 -m owner --uid-owner root -j ACCEPT
     -A OUTPUT -d %s -p tcp -m tcp --dport %s -j ACCEPT'''
             % (str(s.internal_ip_address), str(s.web_server_port)) for s in servers
                 if s.ip_address != s.internal_ip_address]) + ''.join(
+    ['''
+    -A OUTPUT -d %s -p tcp -m tcp --dport %s -j ACCEPT'''
+            % (str(s.internal_ip_address), str(psi_config.TUNNEL_CHECK_SERVICE_PORT)) for s in servers
+                if s.ip_address != s.internal_ip_address]) + ''.join(
     # web servers
     ['''
     -A OUTPUT -s %s -p tcp -m tcp --sport %s -j ACCEPT'''
             % (str(s.internal_ip_address), str(s.web_server_port)) for s in servers
                 if s.web_server_port]) + ''.join(
+    ['''
+    -A OUTPUT -s %s -p tcp -m tcp --sport %s -j ACCEPT'''
+            % (str(s.internal_ip_address), str(psi_config.TUNNEL_CHECK_SERVICE_PORT)) for s in servers
+                if s.web_server_port]) + ''.join(
     # SSH
     ['''
     -A OUTPUT -s %s -p tcp -m tcp --sport %s -j ACCEPT'''

File Server/psi_config.py

 ROUTE_FILE_NAME_TEMPLATE = '%s.route.zlib'
 DATA_FILE_NAME = posixpath.join(HOST_SOURCE_ROOT, 'Automation', 'psi_ops.dat')
 GEOIP_SERVICE_PORT = 6000
+TUNNEL_CHECK_SERVICE_PORT = 7999
 
 
 #==== VPN =====================================================================

File Server/psi_web.py

                 syslog.syslog(syslog.LOG_ERR, line)
             raise
 
+
+# ===== Tunnel Check Service =====
+
+class TunnelCheckServerThread(threading.Thread):
+
+    def __init__(self, ip_address):
+        #super(WebServerThread, self).__init__(self)
+        threading.Thread.__init__(self)
+        self.server_ip_address = ip_address
+        self.server = None
+
+    def check_tunnel(self, environ, start_response):
+        # Just return 200 OK; no logging or action for this request
+        start_response('200 OK', [])
+        return []
+    
+    def stop_server(self):
+        # Retry loop in case self.server.stop throws an exception
+        for i in range(5):
+            try:
+                if self.server:
+                    # blocks until server stops
+                    self.server.stop()
+                    self.server = None
+                break
+            except Exception as e:
+                # Log errors
+                for line in traceback.format_exc().split('\n'):
+                    syslog.syslog(syslog.LOG_ERR, line)
+                time.sleep(i)
+
+    def run(self):
+        try:
+            server_instance = ()
+            self.server = wsgiserver.CherryPyWSGIServer(
+                            (self.server_ip_address, int(psi_config.TUNNEL_CHECK_SERVICE_PORT)),
+                            wsgiserver.WSGIPathInfoDispatcher(
+                                {'/check_tunnel': self.check_tunnel}))
+
+            # Blocks until server stopped
+            syslog.syslog(syslog.LOG_INFO, 'started Tunnel Check service on %s:%d' % (self.server_ip_address, psi_config.TUNNEL_CHECK_SERVICE_PORT))
+            self.server.start()
+        except Exception as e:
+            # Log other errors and abort
+            for line in traceback.format_exc().split('\n'):
+                syslog.syslog(syslog.LOG_ERR, line)
+            raise
+
+            
 # ===== Main Process =====
 
 def main():
     threads.append(geoip_thread)
     print 'GeoIP server running...'
 
+    for server_info in servers:
+        tunnel_check_thread = TunnelCheckServerThread(server_info[0])
+        tunnel_check_thread.start()
+        threads.append(tunnel_check_thread)
+    print 'Tunnel Check server running...'
+
     try:
         while True:
             time.sleep(60)