Add config option to disable HTTP printable char path check
This commit is contained in:
parent
b3771e2e6c
commit
d6c16dd0ad
|
@ -690,6 +690,7 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
|
||||||
DisableAnonymousSignature: b.boolVal(c.DisableAnonymousSignature),
|
DisableAnonymousSignature: b.boolVal(c.DisableAnonymousSignature),
|
||||||
DisableCoordinates: b.boolVal(c.DisableCoordinates),
|
DisableCoordinates: b.boolVal(c.DisableCoordinates),
|
||||||
DisableHostNodeID: b.boolVal(c.DisableHostNodeID),
|
DisableHostNodeID: b.boolVal(c.DisableHostNodeID),
|
||||||
|
DisableHTTPUnprintableCharFilter: b.boolVal(c.DisableHTTPUnprintableCharFilter),
|
||||||
DisableKeyringFile: b.boolVal(c.DisableKeyringFile),
|
DisableKeyringFile: b.boolVal(c.DisableKeyringFile),
|
||||||
DisableRemoteExec: b.boolVal(c.DisableRemoteExec),
|
DisableRemoteExec: b.boolVal(c.DisableRemoteExec),
|
||||||
DisableUpdateCheck: b.boolVal(c.DisableUpdateCheck),
|
DisableUpdateCheck: b.boolVal(c.DisableUpdateCheck),
|
||||||
|
|
|
@ -136,106 +136,107 @@ func Parse(data string, format string) (c Config, err error) {
|
||||||
// configuration it should be treated as an external API which cannot be
|
// configuration it should be treated as an external API which cannot be
|
||||||
// changed and refactored at will since this will break existing setups.
|
// changed and refactored at will since this will break existing setups.
|
||||||
type Config struct {
|
type Config struct {
|
||||||
ACLAgentMasterToken *string `json:"acl_agent_master_token,omitempty" hcl:"acl_agent_master_token" mapstructure:"acl_agent_master_token"`
|
ACLAgentMasterToken *string `json:"acl_agent_master_token,omitempty" hcl:"acl_agent_master_token" mapstructure:"acl_agent_master_token"`
|
||||||
ACLAgentToken *string `json:"acl_agent_token,omitempty" hcl:"acl_agent_token" mapstructure:"acl_agent_token"`
|
ACLAgentToken *string `json:"acl_agent_token,omitempty" hcl:"acl_agent_token" mapstructure:"acl_agent_token"`
|
||||||
ACLDatacenter *string `json:"acl_datacenter,omitempty" hcl:"acl_datacenter" mapstructure:"acl_datacenter"`
|
ACLDatacenter *string `json:"acl_datacenter,omitempty" hcl:"acl_datacenter" mapstructure:"acl_datacenter"`
|
||||||
ACLDefaultPolicy *string `json:"acl_default_policy,omitempty" hcl:"acl_default_policy" mapstructure:"acl_default_policy"`
|
ACLDefaultPolicy *string `json:"acl_default_policy,omitempty" hcl:"acl_default_policy" mapstructure:"acl_default_policy"`
|
||||||
ACLDownPolicy *string `json:"acl_down_policy,omitempty" hcl:"acl_down_policy" mapstructure:"acl_down_policy"`
|
ACLDownPolicy *string `json:"acl_down_policy,omitempty" hcl:"acl_down_policy" mapstructure:"acl_down_policy"`
|
||||||
ACLEnableKeyListPolicy *bool `json:"acl_enable_key_list_policy,omitempty" hcl:"acl_enable_key_list_policy" mapstructure:"acl_enable_key_list_policy"`
|
ACLEnableKeyListPolicy *bool `json:"acl_enable_key_list_policy,omitempty" hcl:"acl_enable_key_list_policy" mapstructure:"acl_enable_key_list_policy"`
|
||||||
ACLEnforceVersion8 *bool `json:"acl_enforce_version_8,omitempty" hcl:"acl_enforce_version_8" mapstructure:"acl_enforce_version_8"`
|
ACLEnforceVersion8 *bool `json:"acl_enforce_version_8,omitempty" hcl:"acl_enforce_version_8" mapstructure:"acl_enforce_version_8"`
|
||||||
ACLMasterToken *string `json:"acl_master_token,omitempty" hcl:"acl_master_token" mapstructure:"acl_master_token"`
|
ACLMasterToken *string `json:"acl_master_token,omitempty" hcl:"acl_master_token" mapstructure:"acl_master_token"`
|
||||||
ACLReplicationToken *string `json:"acl_replication_token,omitempty" hcl:"acl_replication_token" mapstructure:"acl_replication_token"`
|
ACLReplicationToken *string `json:"acl_replication_token,omitempty" hcl:"acl_replication_token" mapstructure:"acl_replication_token"`
|
||||||
ACLTTL *string `json:"acl_ttl,omitempty" hcl:"acl_ttl" mapstructure:"acl_ttl"`
|
ACLTTL *string `json:"acl_ttl,omitempty" hcl:"acl_ttl" mapstructure:"acl_ttl"`
|
||||||
ACLToken *string `json:"acl_token,omitempty" hcl:"acl_token" mapstructure:"acl_token"`
|
ACLToken *string `json:"acl_token,omitempty" hcl:"acl_token" mapstructure:"acl_token"`
|
||||||
Addresses Addresses `json:"addresses,omitempty" hcl:"addresses" mapstructure:"addresses"`
|
Addresses Addresses `json:"addresses,omitempty" hcl:"addresses" mapstructure:"addresses"`
|
||||||
AdvertiseAddrLAN *string `json:"advertise_addr,omitempty" hcl:"advertise_addr" mapstructure:"advertise_addr"`
|
AdvertiseAddrLAN *string `json:"advertise_addr,omitempty" hcl:"advertise_addr" mapstructure:"advertise_addr"`
|
||||||
AdvertiseAddrWAN *string `json:"advertise_addr_wan,omitempty" hcl:"advertise_addr_wan" mapstructure:"advertise_addr_wan"`
|
AdvertiseAddrWAN *string `json:"advertise_addr_wan,omitempty" hcl:"advertise_addr_wan" mapstructure:"advertise_addr_wan"`
|
||||||
Autopilot Autopilot `json:"autopilot,omitempty" hcl:"autopilot" mapstructure:"autopilot"`
|
Autopilot Autopilot `json:"autopilot,omitempty" hcl:"autopilot" mapstructure:"autopilot"`
|
||||||
BindAddr *string `json:"bind_addr,omitempty" hcl:"bind_addr" mapstructure:"bind_addr"`
|
BindAddr *string `json:"bind_addr,omitempty" hcl:"bind_addr" mapstructure:"bind_addr"`
|
||||||
Bootstrap *bool `json:"bootstrap,omitempty" hcl:"bootstrap" mapstructure:"bootstrap"`
|
Bootstrap *bool `json:"bootstrap,omitempty" hcl:"bootstrap" mapstructure:"bootstrap"`
|
||||||
BootstrapExpect *int `json:"bootstrap_expect,omitempty" hcl:"bootstrap_expect" mapstructure:"bootstrap_expect"`
|
BootstrapExpect *int `json:"bootstrap_expect,omitempty" hcl:"bootstrap_expect" mapstructure:"bootstrap_expect"`
|
||||||
CAFile *string `json:"ca_file,omitempty" hcl:"ca_file" mapstructure:"ca_file"`
|
CAFile *string `json:"ca_file,omitempty" hcl:"ca_file" mapstructure:"ca_file"`
|
||||||
CAPath *string `json:"ca_path,omitempty" hcl:"ca_path" mapstructure:"ca_path"`
|
CAPath *string `json:"ca_path,omitempty" hcl:"ca_path" mapstructure:"ca_path"`
|
||||||
CertFile *string `json:"cert_file,omitempty" hcl:"cert_file" mapstructure:"cert_file"`
|
CertFile *string `json:"cert_file,omitempty" hcl:"cert_file" mapstructure:"cert_file"`
|
||||||
Check *CheckDefinition `json:"check,omitempty" hcl:"check" mapstructure:"check"` // needs to be a pointer to avoid partial merges
|
Check *CheckDefinition `json:"check,omitempty" hcl:"check" mapstructure:"check"` // needs to be a pointer to avoid partial merges
|
||||||
CheckUpdateInterval *string `json:"check_update_interval,omitempty" hcl:"check_update_interval" mapstructure:"check_update_interval"`
|
CheckUpdateInterval *string `json:"check_update_interval,omitempty" hcl:"check_update_interval" mapstructure:"check_update_interval"`
|
||||||
Checks []CheckDefinition `json:"checks,omitempty" hcl:"checks" mapstructure:"checks"`
|
Checks []CheckDefinition `json:"checks,omitempty" hcl:"checks" mapstructure:"checks"`
|
||||||
ClientAddr *string `json:"client_addr,omitempty" hcl:"client_addr" mapstructure:"client_addr"`
|
ClientAddr *string `json:"client_addr,omitempty" hcl:"client_addr" mapstructure:"client_addr"`
|
||||||
Connect Connect `json:"connect,omitempty" hcl:"connect" mapstructure:"connect"`
|
Connect Connect `json:"connect,omitempty" hcl:"connect" mapstructure:"connect"`
|
||||||
DNS DNS `json:"dns_config,omitempty" hcl:"dns_config" mapstructure:"dns_config"`
|
DNS DNS `json:"dns_config,omitempty" hcl:"dns_config" mapstructure:"dns_config"`
|
||||||
DNSDomain *string `json:"domain,omitempty" hcl:"domain" mapstructure:"domain"`
|
DNSDomain *string `json:"domain,omitempty" hcl:"domain" mapstructure:"domain"`
|
||||||
DNSRecursors []string `json:"recursors,omitempty" hcl:"recursors" mapstructure:"recursors"`
|
DNSRecursors []string `json:"recursors,omitempty" hcl:"recursors" mapstructure:"recursors"`
|
||||||
DataDir *string `json:"data_dir,omitempty" hcl:"data_dir" mapstructure:"data_dir"`
|
DataDir *string `json:"data_dir,omitempty" hcl:"data_dir" mapstructure:"data_dir"`
|
||||||
Datacenter *string `json:"datacenter,omitempty" hcl:"datacenter" mapstructure:"datacenter"`
|
Datacenter *string `json:"datacenter,omitempty" hcl:"datacenter" mapstructure:"datacenter"`
|
||||||
DisableAnonymousSignature *bool `json:"disable_anonymous_signature,omitempty" hcl:"disable_anonymous_signature" mapstructure:"disable_anonymous_signature"`
|
DisableAnonymousSignature *bool `json:"disable_anonymous_signature,omitempty" hcl:"disable_anonymous_signature" mapstructure:"disable_anonymous_signature"`
|
||||||
DisableCoordinates *bool `json:"disable_coordinates,omitempty" hcl:"disable_coordinates" mapstructure:"disable_coordinates"`
|
DisableCoordinates *bool `json:"disable_coordinates,omitempty" hcl:"disable_coordinates" mapstructure:"disable_coordinates"`
|
||||||
DisableHostNodeID *bool `json:"disable_host_node_id,omitempty" hcl:"disable_host_node_id" mapstructure:"disable_host_node_id"`
|
DisableHostNodeID *bool `json:"disable_host_node_id,omitempty" hcl:"disable_host_node_id" mapstructure:"disable_host_node_id"`
|
||||||
DisableKeyringFile *bool `json:"disable_keyring_file,omitempty" hcl:"disable_keyring_file" mapstructure:"disable_keyring_file"`
|
DisableHTTPUnprintableCharFilter *bool `json:"disable_http_unprintable_char_filter,omitempty" hcl:"disable_http_unprintable_char_filter" mapstructure:"disable_http_unprintable_char_filter"`
|
||||||
DisableRemoteExec *bool `json:"disable_remote_exec,omitempty" hcl:"disable_remote_exec" mapstructure:"disable_remote_exec"`
|
DisableKeyringFile *bool `json:"disable_keyring_file,omitempty" hcl:"disable_keyring_file" mapstructure:"disable_keyring_file"`
|
||||||
DisableUpdateCheck *bool `json:"disable_update_check,omitempty" hcl:"disable_update_check" mapstructure:"disable_update_check"`
|
DisableRemoteExec *bool `json:"disable_remote_exec,omitempty" hcl:"disable_remote_exec" mapstructure:"disable_remote_exec"`
|
||||||
DiscardCheckOutput *bool `json:"discard_check_output" hcl:"discard_check_output" mapstructure:"discard_check_output"`
|
DisableUpdateCheck *bool `json:"disable_update_check,omitempty" hcl:"disable_update_check" mapstructure:"disable_update_check"`
|
||||||
DiscoveryMaxStale *string `json:"discovery_max_stale" hcl:"discovery_max_stale" mapstructure:"discovery_max_stale"`
|
DiscardCheckOutput *bool `json:"discard_check_output" hcl:"discard_check_output" mapstructure:"discard_check_output"`
|
||||||
EnableACLReplication *bool `json:"enable_acl_replication,omitempty" hcl:"enable_acl_replication" mapstructure:"enable_acl_replication"`
|
DiscoveryMaxStale *string `json:"discovery_max_stale" hcl:"discovery_max_stale" mapstructure:"discovery_max_stale"`
|
||||||
EnableAgentTLSForChecks *bool `json:"enable_agent_tls_for_checks,omitempty" hcl:"enable_agent_tls_for_checks" mapstructure:"enable_agent_tls_for_checks"`
|
EnableACLReplication *bool `json:"enable_acl_replication,omitempty" hcl:"enable_acl_replication" mapstructure:"enable_acl_replication"`
|
||||||
EnableDebug *bool `json:"enable_debug,omitempty" hcl:"enable_debug" mapstructure:"enable_debug"`
|
EnableAgentTLSForChecks *bool `json:"enable_agent_tls_for_checks,omitempty" hcl:"enable_agent_tls_for_checks" mapstructure:"enable_agent_tls_for_checks"`
|
||||||
EnableScriptChecks *bool `json:"enable_script_checks,omitempty" hcl:"enable_script_checks" mapstructure:"enable_script_checks"`
|
EnableDebug *bool `json:"enable_debug,omitempty" hcl:"enable_debug" mapstructure:"enable_debug"`
|
||||||
EnableSyslog *bool `json:"enable_syslog,omitempty" hcl:"enable_syslog" mapstructure:"enable_syslog"`
|
EnableScriptChecks *bool `json:"enable_script_checks,omitempty" hcl:"enable_script_checks" mapstructure:"enable_script_checks"`
|
||||||
EncryptKey *string `json:"encrypt,omitempty" hcl:"encrypt" mapstructure:"encrypt"`
|
EnableSyslog *bool `json:"enable_syslog,omitempty" hcl:"enable_syslog" mapstructure:"enable_syslog"`
|
||||||
EncryptVerifyIncoming *bool `json:"encrypt_verify_incoming,omitempty" hcl:"encrypt_verify_incoming" mapstructure:"encrypt_verify_incoming"`
|
EncryptKey *string `json:"encrypt,omitempty" hcl:"encrypt" mapstructure:"encrypt"`
|
||||||
EncryptVerifyOutgoing *bool `json:"encrypt_verify_outgoing,omitempty" hcl:"encrypt_verify_outgoing" mapstructure:"encrypt_verify_outgoing"`
|
EncryptVerifyIncoming *bool `json:"encrypt_verify_incoming,omitempty" hcl:"encrypt_verify_incoming" mapstructure:"encrypt_verify_incoming"`
|
||||||
HTTPConfig HTTPConfig `json:"http_config,omitempty" hcl:"http_config" mapstructure:"http_config"`
|
EncryptVerifyOutgoing *bool `json:"encrypt_verify_outgoing,omitempty" hcl:"encrypt_verify_outgoing" mapstructure:"encrypt_verify_outgoing"`
|
||||||
KeyFile *string `json:"key_file,omitempty" hcl:"key_file" mapstructure:"key_file"`
|
HTTPConfig HTTPConfig `json:"http_config,omitempty" hcl:"http_config" mapstructure:"http_config"`
|
||||||
LeaveOnTerm *bool `json:"leave_on_terminate,omitempty" hcl:"leave_on_terminate" mapstructure:"leave_on_terminate"`
|
KeyFile *string `json:"key_file,omitempty" hcl:"key_file" mapstructure:"key_file"`
|
||||||
Limits Limits `json:"limits,omitempty" hcl:"limits" mapstructure:"limits"`
|
LeaveOnTerm *bool `json:"leave_on_terminate,omitempty" hcl:"leave_on_terminate" mapstructure:"leave_on_terminate"`
|
||||||
LogLevel *string `json:"log_level,omitempty" hcl:"log_level" mapstructure:"log_level"`
|
Limits Limits `json:"limits,omitempty" hcl:"limits" mapstructure:"limits"`
|
||||||
NodeID *string `json:"node_id,omitempty" hcl:"node_id" mapstructure:"node_id"`
|
LogLevel *string `json:"log_level,omitempty" hcl:"log_level" mapstructure:"log_level"`
|
||||||
NodeMeta map[string]string `json:"node_meta,omitempty" hcl:"node_meta" mapstructure:"node_meta"`
|
NodeID *string `json:"node_id,omitempty" hcl:"node_id" mapstructure:"node_id"`
|
||||||
NodeName *string `json:"node_name,omitempty" hcl:"node_name" mapstructure:"node_name"`
|
NodeMeta map[string]string `json:"node_meta,omitempty" hcl:"node_meta" mapstructure:"node_meta"`
|
||||||
NonVotingServer *bool `json:"non_voting_server,omitempty" hcl:"non_voting_server" mapstructure:"non_voting_server"`
|
NodeName *string `json:"node_name,omitempty" hcl:"node_name" mapstructure:"node_name"`
|
||||||
Performance Performance `json:"performance,omitempty" hcl:"performance" mapstructure:"performance"`
|
NonVotingServer *bool `json:"non_voting_server,omitempty" hcl:"non_voting_server" mapstructure:"non_voting_server"`
|
||||||
PidFile *string `json:"pid_file,omitempty" hcl:"pid_file" mapstructure:"pid_file"`
|
Performance Performance `json:"performance,omitempty" hcl:"performance" mapstructure:"performance"`
|
||||||
Ports Ports `json:"ports,omitempty" hcl:"ports" mapstructure:"ports"`
|
PidFile *string `json:"pid_file,omitempty" hcl:"pid_file" mapstructure:"pid_file"`
|
||||||
RPCProtocol *int `json:"protocol,omitempty" hcl:"protocol" mapstructure:"protocol"`
|
Ports Ports `json:"ports,omitempty" hcl:"ports" mapstructure:"ports"`
|
||||||
RaftProtocol *int `json:"raft_protocol,omitempty" hcl:"raft_protocol" mapstructure:"raft_protocol"`
|
RPCProtocol *int `json:"protocol,omitempty" hcl:"protocol" mapstructure:"protocol"`
|
||||||
RaftSnapshotThreshold *int `json:"raft_snapshot_threshold,omitempty" hcl:"raft_snapshot_threshold" mapstructure:"raft_snapshot_threshold"`
|
RaftProtocol *int `json:"raft_protocol,omitempty" hcl:"raft_protocol" mapstructure:"raft_protocol"`
|
||||||
RaftSnapshotInterval *string `json:"raft_snapshot_interval,omitempty" hcl:"raft_snapshot_interval" mapstructure:"raft_snapshot_interval"`
|
RaftSnapshotThreshold *int `json:"raft_snapshot_threshold,omitempty" hcl:"raft_snapshot_threshold" mapstructure:"raft_snapshot_threshold"`
|
||||||
ReconnectTimeoutLAN *string `json:"reconnect_timeout,omitempty" hcl:"reconnect_timeout" mapstructure:"reconnect_timeout"`
|
RaftSnapshotInterval *string `json:"raft_snapshot_interval,omitempty" hcl:"raft_snapshot_interval" mapstructure:"raft_snapshot_interval"`
|
||||||
ReconnectTimeoutWAN *string `json:"reconnect_timeout_wan,omitempty" hcl:"reconnect_timeout_wan" mapstructure:"reconnect_timeout_wan"`
|
ReconnectTimeoutLAN *string `json:"reconnect_timeout,omitempty" hcl:"reconnect_timeout" mapstructure:"reconnect_timeout"`
|
||||||
RejoinAfterLeave *bool `json:"rejoin_after_leave,omitempty" hcl:"rejoin_after_leave" mapstructure:"rejoin_after_leave"`
|
ReconnectTimeoutWAN *string `json:"reconnect_timeout_wan,omitempty" hcl:"reconnect_timeout_wan" mapstructure:"reconnect_timeout_wan"`
|
||||||
RetryJoinIntervalLAN *string `json:"retry_interval,omitempty" hcl:"retry_interval" mapstructure:"retry_interval"`
|
RejoinAfterLeave *bool `json:"rejoin_after_leave,omitempty" hcl:"rejoin_after_leave" mapstructure:"rejoin_after_leave"`
|
||||||
RetryJoinIntervalWAN *string `json:"retry_interval_wan,omitempty" hcl:"retry_interval_wan" mapstructure:"retry_interval_wan"`
|
RetryJoinIntervalLAN *string `json:"retry_interval,omitempty" hcl:"retry_interval" mapstructure:"retry_interval"`
|
||||||
RetryJoinLAN []string `json:"retry_join,omitempty" hcl:"retry_join" mapstructure:"retry_join"`
|
RetryJoinIntervalWAN *string `json:"retry_interval_wan,omitempty" hcl:"retry_interval_wan" mapstructure:"retry_interval_wan"`
|
||||||
RetryJoinMaxAttemptsLAN *int `json:"retry_max,omitempty" hcl:"retry_max" mapstructure:"retry_max"`
|
RetryJoinLAN []string `json:"retry_join,omitempty" hcl:"retry_join" mapstructure:"retry_join"`
|
||||||
RetryJoinMaxAttemptsWAN *int `json:"retry_max_wan,omitempty" hcl:"retry_max_wan" mapstructure:"retry_max_wan"`
|
RetryJoinMaxAttemptsLAN *int `json:"retry_max,omitempty" hcl:"retry_max" mapstructure:"retry_max"`
|
||||||
RetryJoinWAN []string `json:"retry_join_wan,omitempty" hcl:"retry_join_wan" mapstructure:"retry_join_wan"`
|
RetryJoinMaxAttemptsWAN *int `json:"retry_max_wan,omitempty" hcl:"retry_max_wan" mapstructure:"retry_max_wan"`
|
||||||
SegmentName *string `json:"segment,omitempty" hcl:"segment" mapstructure:"segment"`
|
RetryJoinWAN []string `json:"retry_join_wan,omitempty" hcl:"retry_join_wan" mapstructure:"retry_join_wan"`
|
||||||
Segments []Segment `json:"segments,omitempty" hcl:"segments" mapstructure:"segments"`
|
SegmentName *string `json:"segment,omitempty" hcl:"segment" mapstructure:"segment"`
|
||||||
SerfBindAddrLAN *string `json:"serf_lan,omitempty" hcl:"serf_lan" mapstructure:"serf_lan"`
|
Segments []Segment `json:"segments,omitempty" hcl:"segments" mapstructure:"segments"`
|
||||||
SerfBindAddrWAN *string `json:"serf_wan,omitempty" hcl:"serf_wan" mapstructure:"serf_wan"`
|
SerfBindAddrLAN *string `json:"serf_lan,omitempty" hcl:"serf_lan" mapstructure:"serf_lan"`
|
||||||
ServerMode *bool `json:"server,omitempty" hcl:"server" mapstructure:"server"`
|
SerfBindAddrWAN *string `json:"serf_wan,omitempty" hcl:"serf_wan" mapstructure:"serf_wan"`
|
||||||
ServerName *string `json:"server_name,omitempty" hcl:"server_name" mapstructure:"server_name"`
|
ServerMode *bool `json:"server,omitempty" hcl:"server" mapstructure:"server"`
|
||||||
Service *ServiceDefinition `json:"service,omitempty" hcl:"service" mapstructure:"service"`
|
ServerName *string `json:"server_name,omitempty" hcl:"server_name" mapstructure:"server_name"`
|
||||||
Services []ServiceDefinition `json:"services,omitempty" hcl:"services" mapstructure:"services"`
|
Service *ServiceDefinition `json:"service,omitempty" hcl:"service" mapstructure:"service"`
|
||||||
SessionTTLMin *string `json:"session_ttl_min,omitempty" hcl:"session_ttl_min" mapstructure:"session_ttl_min"`
|
Services []ServiceDefinition `json:"services,omitempty" hcl:"services" mapstructure:"services"`
|
||||||
SkipLeaveOnInt *bool `json:"skip_leave_on_interrupt,omitempty" hcl:"skip_leave_on_interrupt" mapstructure:"skip_leave_on_interrupt"`
|
SessionTTLMin *string `json:"session_ttl_min,omitempty" hcl:"session_ttl_min" mapstructure:"session_ttl_min"`
|
||||||
StartJoinAddrsLAN []string `json:"start_join,omitempty" hcl:"start_join" mapstructure:"start_join"`
|
SkipLeaveOnInt *bool `json:"skip_leave_on_interrupt,omitempty" hcl:"skip_leave_on_interrupt" mapstructure:"skip_leave_on_interrupt"`
|
||||||
StartJoinAddrsWAN []string `json:"start_join_wan,omitempty" hcl:"start_join_wan" mapstructure:"start_join_wan"`
|
StartJoinAddrsLAN []string `json:"start_join,omitempty" hcl:"start_join" mapstructure:"start_join"`
|
||||||
SyslogFacility *string `json:"syslog_facility,omitempty" hcl:"syslog_facility" mapstructure:"syslog_facility"`
|
StartJoinAddrsWAN []string `json:"start_join_wan,omitempty" hcl:"start_join_wan" mapstructure:"start_join_wan"`
|
||||||
TLSCipherSuites *string `json:"tls_cipher_suites,omitempty" hcl:"tls_cipher_suites" mapstructure:"tls_cipher_suites"`
|
SyslogFacility *string `json:"syslog_facility,omitempty" hcl:"syslog_facility" mapstructure:"syslog_facility"`
|
||||||
TLSMinVersion *string `json:"tls_min_version,omitempty" hcl:"tls_min_version" mapstructure:"tls_min_version"`
|
TLSCipherSuites *string `json:"tls_cipher_suites,omitempty" hcl:"tls_cipher_suites" mapstructure:"tls_cipher_suites"`
|
||||||
TLSPreferServerCipherSuites *bool `json:"tls_prefer_server_cipher_suites,omitempty" hcl:"tls_prefer_server_cipher_suites" mapstructure:"tls_prefer_server_cipher_suites"`
|
TLSMinVersion *string `json:"tls_min_version,omitempty" hcl:"tls_min_version" mapstructure:"tls_min_version"`
|
||||||
TaggedAddresses map[string]string `json:"tagged_addresses,omitempty" hcl:"tagged_addresses" mapstructure:"tagged_addresses"`
|
TLSPreferServerCipherSuites *bool `json:"tls_prefer_server_cipher_suites,omitempty" hcl:"tls_prefer_server_cipher_suites" mapstructure:"tls_prefer_server_cipher_suites"`
|
||||||
Telemetry Telemetry `json:"telemetry,omitempty" hcl:"telemetry" mapstructure:"telemetry"`
|
TaggedAddresses map[string]string `json:"tagged_addresses,omitempty" hcl:"tagged_addresses" mapstructure:"tagged_addresses"`
|
||||||
TranslateWANAddrs *bool `json:"translate_wan_addrs,omitempty" hcl:"translate_wan_addrs" mapstructure:"translate_wan_addrs"`
|
Telemetry Telemetry `json:"telemetry,omitempty" hcl:"telemetry" mapstructure:"telemetry"`
|
||||||
UI *bool `json:"ui,omitempty" hcl:"ui" mapstructure:"ui"`
|
TranslateWANAddrs *bool `json:"translate_wan_addrs,omitempty" hcl:"translate_wan_addrs" mapstructure:"translate_wan_addrs"`
|
||||||
UIDir *string `json:"ui_dir,omitempty" hcl:"ui_dir" mapstructure:"ui_dir"`
|
UI *bool `json:"ui,omitempty" hcl:"ui" mapstructure:"ui"`
|
||||||
UnixSocket UnixSocket `json:"unix_sockets,omitempty" hcl:"unix_sockets" mapstructure:"unix_sockets"`
|
UIDir *string `json:"ui_dir,omitempty" hcl:"ui_dir" mapstructure:"ui_dir"`
|
||||||
VerifyIncoming *bool `json:"verify_incoming,omitempty" hcl:"verify_incoming" mapstructure:"verify_incoming"`
|
UnixSocket UnixSocket `json:"unix_sockets,omitempty" hcl:"unix_sockets" mapstructure:"unix_sockets"`
|
||||||
VerifyIncomingHTTPS *bool `json:"verify_incoming_https,omitempty" hcl:"verify_incoming_https" mapstructure:"verify_incoming_https"`
|
VerifyIncoming *bool `json:"verify_incoming,omitempty" hcl:"verify_incoming" mapstructure:"verify_incoming"`
|
||||||
VerifyIncomingRPC *bool `json:"verify_incoming_rpc,omitempty" hcl:"verify_incoming_rpc" mapstructure:"verify_incoming_rpc"`
|
VerifyIncomingHTTPS *bool `json:"verify_incoming_https,omitempty" hcl:"verify_incoming_https" mapstructure:"verify_incoming_https"`
|
||||||
VerifyOutgoing *bool `json:"verify_outgoing,omitempty" hcl:"verify_outgoing" mapstructure:"verify_outgoing"`
|
VerifyIncomingRPC *bool `json:"verify_incoming_rpc,omitempty" hcl:"verify_incoming_rpc" mapstructure:"verify_incoming_rpc"`
|
||||||
VerifyServerHostname *bool `json:"verify_server_hostname,omitempty" hcl:"verify_server_hostname" mapstructure:"verify_server_hostname"`
|
VerifyOutgoing *bool `json:"verify_outgoing,omitempty" hcl:"verify_outgoing" mapstructure:"verify_outgoing"`
|
||||||
Watches []map[string]interface{} `json:"watches,omitempty" hcl:"watches" mapstructure:"watches"`
|
VerifyServerHostname *bool `json:"verify_server_hostname,omitempty" hcl:"verify_server_hostname" mapstructure:"verify_server_hostname"`
|
||||||
|
Watches []map[string]interface{} `json:"watches,omitempty" hcl:"watches" mapstructure:"watches"`
|
||||||
|
|
||||||
// This isn't used by Consul but we've documented a feature where users
|
// This isn't used by Consul but we've documented a feature where users
|
||||||
// can deploy their snapshot agent configs alongside their Consul configs
|
// can deploy their snapshot agent configs alongside their Consul configs
|
||||||
|
|
|
@ -564,6 +564,16 @@ type RuntimeConfig struct {
|
||||||
// flag: -disable-host-node-id
|
// flag: -disable-host-node-id
|
||||||
DisableHostNodeID bool
|
DisableHostNodeID bool
|
||||||
|
|
||||||
|
// DisableHTTPUnprintableCharFilter will bypass the filter preventing HTTP
|
||||||
|
// URLs from containing unprintable chars. This filter was added in 1.0.3 as a
|
||||||
|
// response to a vulnerability report. Disabling this is never recommended in
|
||||||
|
// general however some users who have keys written in older versions of
|
||||||
|
// Consul may use this to temporarily disable the filter such that they can
|
||||||
|
// delete those keys again! We do not recommend leaving it disabled long term.
|
||||||
|
//
|
||||||
|
// hcl: disable_http_unprintable_char_filter
|
||||||
|
DisableHTTPUnprintableCharFilter bool
|
||||||
|
|
||||||
// DisableKeyringFile disables writing the keyring to a file.
|
// DisableKeyringFile disables writing the keyring to a file.
|
||||||
//
|
//
|
||||||
// hcl: disable_keyring_file = (true|false)
|
// hcl: disable_keyring_file = (true|false)
|
||||||
|
|
|
@ -2621,6 +2621,7 @@ func TestFullConfig(t *testing.T) {
|
||||||
"disable_anonymous_signature": true,
|
"disable_anonymous_signature": true,
|
||||||
"disable_coordinates": true,
|
"disable_coordinates": true,
|
||||||
"disable_host_node_id": true,
|
"disable_host_node_id": true,
|
||||||
|
"disable_http_unprintable_char_filter": true,
|
||||||
"disable_keyring_file": true,
|
"disable_keyring_file": true,
|
||||||
"disable_remote_exec": true,
|
"disable_remote_exec": true,
|
||||||
"disable_update_check": true,
|
"disable_update_check": true,
|
||||||
|
@ -3084,6 +3085,7 @@ func TestFullConfig(t *testing.T) {
|
||||||
disable_anonymous_signature = true
|
disable_anonymous_signature = true
|
||||||
disable_coordinates = true
|
disable_coordinates = true
|
||||||
disable_host_node_id = true
|
disable_host_node_id = true
|
||||||
|
disable_http_unprintable_char_filter = true
|
||||||
disable_keyring_file = true
|
disable_keyring_file = true
|
||||||
disable_remote_exec = true
|
disable_remote_exec = true
|
||||||
disable_update_check = true
|
disable_update_check = true
|
||||||
|
@ -3678,75 +3680,76 @@ func TestFullConfig(t *testing.T) {
|
||||||
"connect_timeout_ms": float64(1000),
|
"connect_timeout_ms": float64(1000),
|
||||||
"pedantic_mode": true,
|
"pedantic_mode": true,
|
||||||
},
|
},
|
||||||
DNSAddrs: []net.Addr{tcpAddr("93.95.95.81:7001"), udpAddr("93.95.95.81:7001")},
|
DNSAddrs: []net.Addr{tcpAddr("93.95.95.81:7001"), udpAddr("93.95.95.81:7001")},
|
||||||
DNSARecordLimit: 29907,
|
DNSARecordLimit: 29907,
|
||||||
DNSAllowStale: true,
|
DNSAllowStale: true,
|
||||||
DNSDisableCompression: true,
|
DNSDisableCompression: true,
|
||||||
DNSDomain: "7W1xXSqd",
|
DNSDomain: "7W1xXSqd",
|
||||||
DNSEnableTruncate: true,
|
DNSEnableTruncate: true,
|
||||||
DNSMaxStale: 29685 * time.Second,
|
DNSMaxStale: 29685 * time.Second,
|
||||||
DNSNodeTTL: 7084 * time.Second,
|
DNSNodeTTL: 7084 * time.Second,
|
||||||
DNSOnlyPassing: true,
|
DNSOnlyPassing: true,
|
||||||
DNSPort: 7001,
|
DNSPort: 7001,
|
||||||
DNSRecursorTimeout: 4427 * time.Second,
|
DNSRecursorTimeout: 4427 * time.Second,
|
||||||
DNSRecursors: []string{"63.38.39.58", "92.49.18.18"},
|
DNSRecursors: []string{"63.38.39.58", "92.49.18.18"},
|
||||||
DNSServiceTTL: map[string]time.Duration{"*": 32030 * time.Second},
|
DNSServiceTTL: map[string]time.Duration{"*": 32030 * time.Second},
|
||||||
DNSUDPAnswerLimit: 29909,
|
DNSUDPAnswerLimit: 29909,
|
||||||
DNSNodeMetaTXT: true,
|
DNSNodeMetaTXT: true,
|
||||||
DataDir: dataDir,
|
DataDir: dataDir,
|
||||||
Datacenter: "rzo029wg",
|
Datacenter: "rzo029wg",
|
||||||
DevMode: true,
|
DevMode: true,
|
||||||
DisableAnonymousSignature: true,
|
DisableAnonymousSignature: true,
|
||||||
DisableCoordinates: true,
|
DisableCoordinates: true,
|
||||||
DisableHostNodeID: true,
|
DisableHostNodeID: true,
|
||||||
DisableKeyringFile: true,
|
DisableHTTPUnprintableCharFilter: true,
|
||||||
DisableRemoteExec: true,
|
DisableKeyringFile: true,
|
||||||
DisableUpdateCheck: true,
|
DisableRemoteExec: true,
|
||||||
DiscardCheckOutput: true,
|
DisableUpdateCheck: true,
|
||||||
DiscoveryMaxStale: 5 * time.Second,
|
DiscardCheckOutput: true,
|
||||||
EnableACLReplication: true,
|
DiscoveryMaxStale: 5 * time.Second,
|
||||||
EnableAgentTLSForChecks: true,
|
EnableACLReplication: true,
|
||||||
EnableDebug: true,
|
EnableAgentTLSForChecks: true,
|
||||||
EnableScriptChecks: true,
|
EnableDebug: true,
|
||||||
EnableSyslog: true,
|
EnableScriptChecks: true,
|
||||||
EnableUI: true,
|
EnableSyslog: true,
|
||||||
EncryptKey: "A4wELWqH",
|
EnableUI: true,
|
||||||
EncryptVerifyIncoming: true,
|
EncryptKey: "A4wELWqH",
|
||||||
EncryptVerifyOutgoing: true,
|
EncryptVerifyIncoming: true,
|
||||||
HTTPAddrs: []net.Addr{tcpAddr("83.39.91.39:7999")},
|
EncryptVerifyOutgoing: true,
|
||||||
HTTPBlockEndpoints: []string{"RBvAFcGD", "fWOWFznh"},
|
HTTPAddrs: []net.Addr{tcpAddr("83.39.91.39:7999")},
|
||||||
HTTPPort: 7999,
|
HTTPBlockEndpoints: []string{"RBvAFcGD", "fWOWFznh"},
|
||||||
HTTPResponseHeaders: map[string]string{"M6TKa9NP": "xjuxjOzQ", "JRCrHZed": "rl0mTx81"},
|
HTTPPort: 7999,
|
||||||
HTTPSAddrs: []net.Addr{tcpAddr("95.17.17.19:15127")},
|
HTTPResponseHeaders: map[string]string{"M6TKa9NP": "xjuxjOzQ", "JRCrHZed": "rl0mTx81"},
|
||||||
HTTPSPort: 15127,
|
HTTPSAddrs: []net.Addr{tcpAddr("95.17.17.19:15127")},
|
||||||
KeyFile: "IEkkwgIA",
|
HTTPSPort: 15127,
|
||||||
LeaveDrainTime: 8265 * time.Second,
|
KeyFile: "IEkkwgIA",
|
||||||
LeaveOnTerm: true,
|
LeaveDrainTime: 8265 * time.Second,
|
||||||
LogLevel: "k1zo9Spt",
|
LeaveOnTerm: true,
|
||||||
NodeID: types.NodeID("AsUIlw99"),
|
LogLevel: "k1zo9Spt",
|
||||||
NodeMeta: map[string]string{"5mgGQMBk": "mJLtVMSG", "A7ynFMJB": "0Nx6RGab"},
|
NodeID: types.NodeID("AsUIlw99"),
|
||||||
NodeName: "otlLxGaI",
|
NodeMeta: map[string]string{"5mgGQMBk": "mJLtVMSG", "A7ynFMJB": "0Nx6RGab"},
|
||||||
NonVotingServer: true,
|
NodeName: "otlLxGaI",
|
||||||
PidFile: "43xN80Km",
|
NonVotingServer: true,
|
||||||
RPCAdvertiseAddr: tcpAddr("17.99.29.16:3757"),
|
PidFile: "43xN80Km",
|
||||||
RPCBindAddr: tcpAddr("16.99.34.17:3757"),
|
RPCAdvertiseAddr: tcpAddr("17.99.29.16:3757"),
|
||||||
RPCHoldTimeout: 15707 * time.Second,
|
RPCBindAddr: tcpAddr("16.99.34.17:3757"),
|
||||||
RPCProtocol: 30793,
|
RPCHoldTimeout: 15707 * time.Second,
|
||||||
RPCRateLimit: 12029.43,
|
RPCProtocol: 30793,
|
||||||
RPCMaxBurst: 44848,
|
RPCRateLimit: 12029.43,
|
||||||
RaftProtocol: 19016,
|
RPCMaxBurst: 44848,
|
||||||
RaftSnapshotThreshold: 16384,
|
RaftProtocol: 19016,
|
||||||
RaftSnapshotInterval: 30 * time.Second,
|
RaftSnapshotThreshold: 16384,
|
||||||
ReconnectTimeoutLAN: 23739 * time.Second,
|
RaftSnapshotInterval: 30 * time.Second,
|
||||||
ReconnectTimeoutWAN: 26694 * time.Second,
|
ReconnectTimeoutLAN: 23739 * time.Second,
|
||||||
RejoinAfterLeave: true,
|
ReconnectTimeoutWAN: 26694 * time.Second,
|
||||||
RetryJoinIntervalLAN: 8067 * time.Second,
|
RejoinAfterLeave: true,
|
||||||
RetryJoinIntervalWAN: 28866 * time.Second,
|
RetryJoinIntervalLAN: 8067 * time.Second,
|
||||||
RetryJoinLAN: []string{"pbsSFY7U", "l0qLtWij"},
|
RetryJoinIntervalWAN: 28866 * time.Second,
|
||||||
RetryJoinMaxAttemptsLAN: 913,
|
RetryJoinLAN: []string{"pbsSFY7U", "l0qLtWij"},
|
||||||
RetryJoinMaxAttemptsWAN: 23160,
|
RetryJoinMaxAttemptsLAN: 913,
|
||||||
RetryJoinWAN: []string{"PFsR02Ye", "rJdQIhER"},
|
RetryJoinMaxAttemptsWAN: 23160,
|
||||||
SegmentName: "BC2NhTDi",
|
RetryJoinWAN: []string{"PFsR02Ye", "rJdQIhER"},
|
||||||
|
SegmentName: "BC2NhTDi",
|
||||||
Segments: []structs.NetworkSegment{
|
Segments: []structs.NetworkSegment{
|
||||||
{
|
{
|
||||||
Name: "PExYMe2E",
|
Name: "PExYMe2E",
|
||||||
|
@ -4403,6 +4406,7 @@ func TestSanitize(t *testing.T) {
|
||||||
"DevMode": false,
|
"DevMode": false,
|
||||||
"DisableAnonymousSignature": false,
|
"DisableAnonymousSignature": false,
|
||||||
"DisableCoordinates": false,
|
"DisableCoordinates": false,
|
||||||
|
"DisableHTTPUnprintableCharFilter": false,
|
||||||
"DisableHostNodeID": false,
|
"DisableHostNodeID": false,
|
||||||
"DisableKeyringFile": false,
|
"DisableKeyringFile": false,
|
||||||
"DisableRemoteExec": false,
|
"DisableRemoteExec": false,
|
||||||
|
|
|
@ -187,10 +187,15 @@ func (s *HTTPServer) handler(enableDebug bool) http.Handler {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Wrap the whole mux with a handler that bans URLs with non-printable
|
// Wrap the whole mux with a handler that bans URLs with non-printable
|
||||||
// characters.
|
// characters, unless disabled explicitly to deal with old keys that fail this
|
||||||
|
// check.
|
||||||
|
h := cleanhttp.PrintablePathCheckHandler(mux, nil)
|
||||||
|
if s.agent.config.DisableHTTPUnprintableCharFilter {
|
||||||
|
h = mux
|
||||||
|
}
|
||||||
return &wrappedMux{
|
return &wrappedMux{
|
||||||
mux: mux,
|
mux: mux,
|
||||||
handler: cleanhttp.PrintablePathCheckHandler(mux, nil),
|
handler: h,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -327,6 +327,19 @@ func TestHTTPAPI_Ban_Nonprintable_Characters(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestHTTPAPI_Allow_Nonprintable_Characters_With_Flag(t *testing.T) {
|
||||||
|
a := NewTestAgent(t.Name(), "disable_http_unprintable_char_filter = true")
|
||||||
|
defer a.Shutdown()
|
||||||
|
|
||||||
|
req, _ := http.NewRequest("GET", "/v1/kv/bad\x00ness", nil)
|
||||||
|
resp := httptest.NewRecorder()
|
||||||
|
a.srv.Handler.ServeHTTP(resp, req)
|
||||||
|
// Key doesn't actually exist so we should get 404
|
||||||
|
if got, want := resp.Code, http.StatusNotFound; got != want {
|
||||||
|
t.Fatalf("bad response code got %d want %d", got, want)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func TestHTTPAPI_TranslateAddrHeader(t *testing.T) {
|
func TestHTTPAPI_TranslateAddrHeader(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
// Header should not be present if address translation is off.
|
// Header should not be present if address translation is off.
|
||||||
|
|
|
@ -749,6 +749,17 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
|
||||||
* <a name="disable_host_node_id"></a><a href="#disable_host_node_id">`disable_host_node_id`</a>
|
* <a name="disable_host_node_id"></a><a href="#disable_host_node_id">`disable_host_node_id`</a>
|
||||||
Equivalent to the [`-disable-host-node-id` command-line flag](#_disable_host_node_id).
|
Equivalent to the [`-disable-host-node-id` command-line flag](#_disable_host_node_id).
|
||||||
|
|
||||||
|
* <a name="disable_http_unprintable_char_filter"></a><a href="#disable_http_unprintable_char_filter">`disable_http_unprintable_char_filter`</a>
|
||||||
|
Defaults to false. Consul 1.0.3 fixed a potential security vulnerability where
|
||||||
|
malicious users could craft KV keys with unprintable chars that would confuse
|
||||||
|
operators using the CLI or UI into taking wrong actions. Users who had data
|
||||||
|
written in older versions of Consul that did not have this restriction will be
|
||||||
|
unable to delete those values by default in 1.0.3 or later. This setting
|
||||||
|
enables those users to _temporarily_ disable the filter such that delete
|
||||||
|
operations can work on those keys again to get back to a healthy state. It is
|
||||||
|
strongly recommended that this filter is not disabled permanently as it
|
||||||
|
exposes the original security vulnerability.
|
||||||
|
|
||||||
* <a name="disable_remote_exec"></a><a href="#disable_remote_exec">`disable_remote_exec`</a>
|
* <a name="disable_remote_exec"></a><a href="#disable_remote_exec">`disable_remote_exec`</a>
|
||||||
Disables support for remote execution. When set to true, the agent will ignore any incoming
|
Disables support for remote execution. When set to true, the agent will ignore any incoming
|
||||||
remote exec requests. In versions of Consul prior to 0.8, this defaulted to false. In Consul
|
remote exec requests. In versions of Consul prior to 0.8, this defaulted to false. In Consul
|
||||||
|
|
Loading…
Reference in a new issue