Add ACL support to the server (closes #25)

luca0N commented

2026-02-02 23:49:40 +00:00

Owner

This pull request adds the ACL functionality to the server, which allows administrators to define which hosts have access to the server. At this time, the Lanbassador server will establish connection with any host it can reach, which may be undesirable due to the information being dealt with by Lanbassador. The ACL functionality makes it easy for administrators to prevent unauthorized access to their servers, and avoid sensitive/confidential data in their networks.

Create sample configuration file
Parse configuration file
Retrieve host addresses on connection
- Close connection if the host is unauthorized to connect, based on ACL rules
- Only allow connections from hosts in allowlist

This pull request does not add account support, which is tracked by issue #26.

This pull request adds the ACL functionality to the server, which allows administrators to define which hosts have access to the server. At this time, the Lanbassador server will establish connection with any host it can reach, which may be undesirable due to the information being dealt with by Lanbassador. The ACL functionality makes it easy for administrators to prevent unauthorized access to their servers, and avoid sensitive/confidential data in their networks. - [x] Create sample configuration file - [x] Parse configuration file - [x] Retrieve host addresses on connection - [x] Close connection if the host is unauthorized to connect, based on ACL rules - [x] Only allow connections from hosts in allowlist This pull request does _not_ add account support, which is tracked by issue #26.

luca0N added the

labels

2026-02-02 23:49:40 +00:00

luca0N self-assigned this

2026-02-02 23:49:40 +00:00

luca0N added 1 commit

2026-02-02 23:49:40 +00:00

Add initial server configuration file 3c04242070

Add the initial server configuration file.  This file will follow the
same syntax that is used among many *NIX programs, which is based on the
INI format.  For now, only options regarding the ACL feature that is
planned have been added.  This commit does not add any functionality to
the server yet, it merely adds this configuration file, which the server
will then parse in a future commit.

luca0N commented

2026-02-02 23:54:39 +00:00

Author

Owner

As for the configuration file path, I believe it should be kept on /etc/lanbassador/server.cfg by default. The /etc/lanbassador path is already used in the web app Docker image¹ Administrators should have the ability to override this path, either via an environment variable, command line option, or a build option (which would change the default hardcoded path).

I think having the configuration file in the same path as the server program is bad design, since program executables are usually stored in /usr/bin, and configuration files are usually stored in /etc. Even if Lanbassador were to be ported to Windows, that would still be bad design, since %ProgramFiles% is meant to be read only (hence the UAC requirement when installing programs there).

client/Dockerfile
Line 49 in eec7526
ln -s /etc/lanbassador/client.json lanbassador-config.json
↩︎

As for the configuration file path, I believe it should be kept on `/etc/lanbassador/server.cfg` by default. The `/etc/lanbassador` path is already used in the web app Docker image[^1] Administrators should have the ability to override this path, either via an environment variable, command line option, or a build option (which would change the default hardcoded path). I think having the configuration file in the same path as the server program is bad design, since program executables are usually stored in `/usr/bin`, and configuration files are usually stored in `/etc`. Even if Lanbassador were to be ported to Windows, that would still be bad design, since `%ProgramFiles%` is meant to be read only (hence the UAC requirement when installing programs there). [^1]: https://git.luca0n.com/luca0N/lanbassador/src/commit/eec752603dd2310f8ad36e2a40ac00dd58ad0a3a/client/Dockerfile#L49

luca0N added a new dependency

2026-02-02 23:55:09 +00:00

#25 Add ACL support to the server

luca0N added 1 commit

2026-02-03 10:30:26 +00:00

Parse host address on WebSocket connection 7e5ce59c90

When establishing a connection with a remote host, parse its IP address.
This will come in handy in a future commit, which will make use of these
changes to check if a host is authorized to connect to the server or
not, based on ACL rules.

This commit does not introduce any ACL functionality: it only parses the
source connection host address and prints it to standard output.

luca0N added 1 commit

2026-02-04 23:43:51 +00:00

Read and parse server configuration file bb6ef16211

Add support for reading and parsing the server configuration file using
the `gopkg.in/ini.v1' library, and add required dependency.

luca0N commented

2026-02-04 23:48:35 +00:00

Author

Owner

I don't really see much point in manually parsing an environment variable that points to the location of the Lanbassador server configuration file.

I would like to refactor the command line and environment variable parsing code¹ at some point, but not in this pull request.

Ultimately, I think a new function could be created that handles command line arguments and environment variables. This function could accept two fundamental arguments: one for the command line option, and another for a (fallback) environment variable, returning the value that it was able to find. This would make the code cleaner (although, at this stage, it's not that complex), and would also make the implementation of further runtime preferences much smoother.

 	settingsPath := flag.String("config", LANBASSADOR_SERVER_DEFAULT_PATH, "<path to configuration file>")
 	scanIface := flag.String("iface", "", "<interface name>")
 	envIface, err := getEnvironKey("LANBASSADOR_INTERFACE")
 	flag.Parse()
 	loadSettings(*settingsPath)
 	if *scanIface == "" {
 		if err != nil {
 			fmt.Fprintln(os.Stderr, "error: missing required parameter: iface")
 			os.Exit(1)
 			return
 		}
 		*scanIface = envIface
 	}

↩︎

I don't really see much point in _manually_ parsing an environment variable that points to the location of the Lanbassador server configuration file. I would like to refactor the command line and environment variable parsing code[^1] at some point, but not in this pull request. Ultimately, I think a new function could be created that handles command line arguments and environment variables. This function could accept two fundamental arguments: one for the command line option, and another for a (fallback) environment variable, returning the value that it was able to find. This would make the code cleaner (although, at this stage, it's not _that_ complex), and would also make the implementation of further runtime preferences much smoother. [^1]: https://git.luca0n.com/luca0N/lanbassador/src/commit/bb6ef16211406027b026fd5eaf3108ba8c59a75e/server/main.go#L215-L230

luca0N added 1 commit

2026-02-05 23:56:44 +00:00

Parse denylist IP addresses in config.go ef78b3c55e

Parse denylist IP addresses to `net.IPNet' slices in config.go, and make
the `loadSettings()' function return an error instead of panicking.

luca0N added 1 commit

2026-02-05 23:59:11 +00:00

Check incoming connections against denylist 7806852c16

When establishing a connection with a client, check its host address
against the loaded ACL denylist, and then close it (if applicable).

luca0N added 3 commits

2026-02-06 11:00:25 +00:00

Check server ACLs before upgrading to WebSocket f589bf714f

When receiving a connection request from a client, check the ACL rules
before upgrading the HTTP connection to WebSocket, sending a response
with the appropriate status code if it's forbidden.

Rename configuration-related server identifiers 3bc753cb3b

In the server code, rename some identifiers used for
configuration-related function names and constants for code consistency.

Bump copyright year in server stdout message 3c7bc2f605

Bump the copyright year range when printing the server message that is
shown when the program starts.

luca0N commented

2026-02-06 11:03:13 +00:00

Author

Owner

I was originally planning on outright resetting (RST) the TCP connection when a host forbidden by ACL rules made any attempts to connect, but I think that would be bad design, so a 403 response is sent instead¹.

server/main.go
Line 137 in 3c7bc2f
w.WriteHeader(http.StatusForbidden)
↩︎

I was originally planning on outright resetting (RST) the TCP connection when a host forbidden by ACL rules made any attempts to connect, but I think that would be bad design, so a 403 response is sent instead[^1]. [^1]: https://git.luca0n.com/luca0N/lanbassador/src/commit/3c7bc2f605cf5647b707e68dd9816422b1f3dab6/server/main.go#L137

luca0N added 2 commits

2026-02-07 23:36:35 +00:00

Add support for allowlist entries 9c6b090ca6

Parse allowlist entries configured in the server configuration file, and
check incoming connection host addresses against hosts specified in the
allowlist (if any).

Fix typo in server configuration file comment eaff765407

Fix a minor typo in a comment from the server configuration file.

luca0N changed title from ~~WIP: Add ACL support to the server (closes #25)~~ to Add ACL support to the server (closes #25)

2026-02-07 23:37:11 +00:00

luca0N referenced this pull request from a commit

2026-02-07 23:46:46 +00:00

Merge pull request 'Add ACL support to the server (closes #25)' (#42) from dev_server_acl into dev

luca0N manually merged commit af04bc846c into dev

2026-02-07 23:46:46 +00:00

luca0N deleted branch dev_server_acl

2026-02-07 23:47:20 +00:00

luca0N referenced this pull request from a commit

2026-02-11 23:48:34 +00:00

Update message in server connection error dialog

Rows
Columns

Add ACL support to the server (closes #25) #42