summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYorhel <git@yorhel.nl>2015-12-29 15:43:42 +0100
committerYorhel <git@yorhel.nl>2015-12-29 15:43:42 +0100
commit267fad116d3b7429e1fb876478ba9468ba19e2c9 (patch)
treef821ba7e5cfe91d5f56afb52a62029abe5ddfbd4
parent68b2e4ade276fd8bd39463b9939ae0d8d5c15df3 (diff)
Multi::API: Add support for TLS
-rw-r--r--data/docs/1112
-rw-r--r--lib/Multi/API.pm31
2 files changed, 32 insertions, 11 deletions
diff --git a/data/docs/11 b/data/docs/11
index 5a492862..3b668656 100644
--- a/data/docs/11
+++ b/data/docs/11
@@ -66,7 +66,8 @@ server resources and prevent abuse of this service.</p>
<b>Connection info:</b>
<dl>
<dt>Host</dt><dd>api.vndb.org</dd>
- <dt>Port (tcp)</dt><dd>19534 ('VN')</dd>
+ <dt>Port (plain tcp)</dt><dd>19534 ('VN')</dd>
+ <dt>Port (TLS)</dt><dd>19535<br />For improved security, make sure to verify that the certificate is valid for 'api.vndb.org' and is signed by a trusted root (in particular, by <a href="https://letsencrypt.org/certificates/">Let's Encrypt</a>).</dd>
</dl>
<br />
@@ -239,8 +240,9 @@ however still required.<br />
</dl>
<p>
The server replies with either 'ok' (no arguments), or 'error' (see below).
- Note that logging in using a username or password is optional, but some
- commands are only available when logged in.
+ Note that logging in using a username and password is optional, but some
+ commands are only available when logged in. It is strongly recommended to
+ connect with TLS when logging in with a username and password.
</p>
@@ -1465,6 +1467,10 @@ however still required.<br />
This section lists the changes made in each version of the VNDB code.
Check out the <a href="/t/an">announcements board</a> for more information about updates.
</p>
+<b>2.25</b>
+<ul>
+ <li>Added support for TLS</li>
+</ul>
<b>2.23</b>
<ul>
<li>Added new 'dbstats' command</li>
diff --git a/lib/Multi/API.pm b/lib/Multi/API.pm
index 1ed62682..256a4532 100644
--- a/lib/Multi/API.pm
+++ b/lib/Multi/API.pm
@@ -23,6 +23,7 @@ sub FALSE () { JSON::XS::false }
my %O = (
port => 19534,
+ tls_port => 19535, # Only used when tls_options is set
logfile => "$VNDB::M{log_dir}/api.log",
conn_per_ip => 5,
max_results => 25, # For get vn/release/producer/character
@@ -31,6 +32,7 @@ my %O = (
throttle_cmd => [ 6, 100 ], # interval between each command, allowed burst
throttle_sql => [ 60, 1 ], # sql time multiplier, allowed burst (in sql time)
throttle_thr => [ 2, 10 ], # interval between "throttled" replies, allowed burst
+ tls_options => undef, # Set to AnyEvent::TLS options to enable TLS
);
@@ -43,7 +45,7 @@ sub writelog {
my($msg, @args) = @_;
if(open(my $F, '>>:utf8', $O{logfile})) {
printf $F "[%s] %s: %s\n", scalar localtime,
- $c ? sprintf '%d %s:%d', $c->{id}, $c->{ip}, $c->{port} : 'global',
+ $c ? sprintf('%d %s:%d%s', $c->{id}, $c->{ip}, $c->{port}, $c->{tls} ? 'S' : '') : 'global',
@args ? sprintf $msg, @args : $msg;
close $F;
}
@@ -54,12 +56,20 @@ sub run {
shift;
%O = (%O, @_);
- push_watcher tcp_server '::', $O{port}, \&newconn;
+ push_watcher tcp_server '::', $O{port}, sub { newconn(0, @_) };;
# The following tcp_server will fail if the above already bound to IPv4.
eval {
- push_watcher tcp_server 0, $O{port}, \&newconn;
+ push_watcher tcp_server 0, $O{port}, sub { newconn(0, @_) };
};
- writelog 'API starting up on port %d', $O{port};
+
+ if($O{tls_options}) {
+ push_watcher tcp_server '::', $O{tls_port}, sub { newconn(1, @_) };
+ eval {
+ push_watcher tcp_server 0, $O{tls_port}, sub { newconn(1, @_) };
+ };
+ }
+
+ writelog 'API starting up on port %d (TLS %s)', $O{port}, $O{tls_options} ? "on port $O{tls_port}" : 'disabled';
}
@@ -71,11 +81,12 @@ sub unload {
sub newconn {
my $c = {
- fh => $_[0],
- ip => $_[1],
- port => $_[2],
+ tls => $_[0],
+ fh => $_[1],
+ ip => $_[2],
+ port => $_[3],
id => ++$connid,
- cid => norm_ip($_[1]),
+ cid => norm_ip($_[2]),
filt => POE::Filter::VNDBAPI->new(),
};
@@ -103,6 +114,10 @@ sub newconn {
$c->{h}->destroy;
delete $C{$c->{id}};
},
+ $c->{tls} ? (
+ tls => 'accept',
+ tls_ctx => $O{tls_options},
+ ) : (),
);
cmd_read($c);
}