Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Closes #2371 #2372

Merged
merged 5 commits into from
Jul 12, 2021
Merged

Closes #2371 #2372

merged 5 commits into from
Jul 12, 2021

Conversation

JustArchi
Copy link
Member

@JustArchi JustArchi commented Jul 10, 2021
edited
Loading

Closes #2371

@vital7 @Abrynos @Ryzhehvost feel free to review and test.

@JustArchi JustArchi added the ✨ Enhancement Issues marked with this label indicate further enhancements to the program, such as new features. label Jul 10, 2021
@JustArchi
Copy link
Member Author

JustArchi commented Jul 10, 2021
edited
Loading

https://github.com/JustArchiNET/ArchiSteamFarm/wiki/IPC#custom-configuration

KnownNetworks - This variable specifies network addresses which we consider trustworthy. By default, ASF is configured to trust private address space, which considers your LAN, VPNs and alike. This property is used in two ways. Firstly, if you omit IPCPassword, then we'll allow only machines from known networks to access ASF's API, and deny everybody else as a security measure. Secondly, this property is crucial in regards to reverse-proxies accessing ASF, as ASF will honor its headers only if the reverse-proxy server is from within known networks. Honoring the headers is crucial in regards to ASF's anti-bruteforce mechanism, as instead of banning the reverse-proxy in case of a problem, it'll ban the IP specified by the reverse-proxy as the source of the original message. Be extremely careful with the networks you specify here, as it allows a potential IP spoofing attack and unauthorized access in case the trusted machine is compromised or wrongly configured. If by any case you're connected to a private network that you do not trust, yet you still decided to enable access from them through Endpoints specified above, then you can override this property to something more restrictive such as "KnownNetworks": [] in order to remove the default behaviour of trusting them.

Abrynos
Abrynos suggested changes Jul 10, 2021
View reviewed changes
ArchiSteamFarm/IPC/Integration/ApiAuthenticationMiddleware.cs Show resolved Hide resolved
ArchiSteamFarm/IPC/Startup.cs Show resolved Hide resolved
ArchiSteamFarm/IPC/Startup.cs Outdated Show resolved Hide resolved
@JustArchi JustArchi requested review from Abrynos and ezhevita July 10, 2021 18:33
@JustArchi JustArchi added 📢 Feedback welcome Issues marked with this label are open to any potential feedback that could help us. 🏁 Finished Issues marked with this label were finished already and no further work is required on them. labels Jul 10, 2021
@JustArchi
Copy link
Member Author

I'm still deciding upon the default behaviour with local networks, I left that one up to our Discord server to decide: https://ptb.discord.com/channels/267292556709068800/363458066722848779/863752421838290974

@JustArchi
Copy link
Member Author

As per our voting, it seems more people are after NOT trusting local networks than do trusting them, so I changed the default to that. I'll still wait a bit more for the voting to stabilize and end, but I see lack of trust as clear winner for now.

@Abrynos
Copy link
Member

Abrynos commented Jul 11, 2021
edited
Loading

We could also add something like "TrustLocalNetworks": false to ASF.json.

Not that I particularly like the thought of adding new config options, which are also possible to set in IPC.config, but a lot of users seem to have difficulty finding out about IPC.config in the first place (my guess is: nobody scrolls to the bottom of IPC section on our wiki without being told to do so on our discord server).

@JustArchi
Copy link
Member Author

No redundant, duplicate settings that achieve the same, if anything, we could bring the custom config of IPC up.

@Abrynos
Copy link
Member

Abrynos commented Jul 11, 2021

if anything, we could bring the custom config of IPC up.

Please do so. The whole thing about the API, swagger, authentication, etc. is more aimed at developers rather than users anyways and I do believe that we should optimize slightly more towards users in wiki.

@JustArchi
Copy link
Member Author

I slightly reordered that so custom config is higher, but everything on that page is equally important.

@JustArchi JustArchi requested a review from ezhevita July 12, 2021 11:00
@JustArchi
Copy link
Member Author

Thanks for feedback everyone 🏆

@JustArchi JustArchi merged commit 13e9f1a into main Jul 12, 2021
@JustArchi JustArchi deleted the ipc-security branch July 12, 2021 11:40
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 12, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ezhevita ezhevita ezhevita approved these changes

@Abrynos Abrynos Abrynos approved these changes

@Rudokhvist Rudokhvist Awaiting requested review from Rudokhvist

Assignees
No one assigned
Labels
✨ Enhancement Issues marked with this label indicate further enhancements to the program, such as new features. 📢 Feedback welcome Issues marked with this label are open to any potential feedback that could help us. 🏁 Finished Issues marked with this label were finished already and no further work is required on them.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Prevent ASF from accepting requests from public network if IPCPassword is not set
3 participants
@JustArchi @Abrynos @ezhevita