remove TLS code from rest_api.py and force it to listen on localhost.
this is to force people to put something like nginx proxy_pass between the wider internet and bitbot's rest api as the python stdlib http.server is not production-secure.
This commit is contained in:
jesopo
parent
710caebbc4
commit
fac0f569b8
1 changed files with 1 additions and 8 deletions
|
|
@ -1,8 +1,6 @@
|
||||||
#--depends-on commands
|
#--depends-on commands
|
||||||
#--depends-on config
|
#--depends-on config
|
||||||
#--depends-on permissions
|
#--depends-on permissions
|
||||||
#--require-config tls-api-key
|
|
||||||
#--require-config tls-api-certificate
|
|
||||||
|
|
||||||
import http.server, json, socket, ssl, threading, uuid, urllib.parse
|
import http.server, json, socket, ssl, threading, uuid, urllib.parse
|
||||||
from src import ModuleManager, utils
|
from src import ModuleManager, utils
|
||||||
|
|
@ -177,12 +175,7 @@ class Module(ModuleManager.BaseModule):
|
||||||
self.httpd = None
|
self.httpd = None
|
||||||
if self.bot.get_setting("rest-api", False):
|
if self.bot.get_setting("rest-api", False):
|
||||||
port = int(self.bot.config.get("api-port", "5000"))
|
port = int(self.bot.config.get("api-port", "5000"))
|
||||||
self.httpd = BitBotIPv6HTTPd(("", port), Handler)
|
self.httpd = BitBotIPv6HTTPd(("::1", port), Handler)
|
||||||
|
|
||||||
self.httpd.socket = utils.security.ssl_wrap(self.httpd.socket,
|
|
||||||
cert=self.bot.config["tls-api-certificate"],
|
|
||||||
key=self.bot.config["tls-api-key"],
|
|
||||||
server_side=True, verify=False)
|
|
||||||
|
|
||||||
self.thread = threading.Thread(target=self.httpd.serve_forever)
|
self.thread = threading.Thread(target=self.httpd.serve_forever)
|
||||||
self.thread.daemon = True
|
self.thread.daemon = True
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue