From 28ffdc1d9b9b0bcad82c4e1c8fb8b8a6e9ca2ed2 Mon Sep 17 00:00:00 2001
From: Niklas Sombert <niklas.sombert@uni-duesseldorf.de>
Date: Wed, 11 Dec 2024 15:13:15 +0100
Subject: [PATCH] dnpm: Secure endpoints for ETL and p2p communications

---
 ccp/modules/dnpm-node-compose.yml     | 18 +++++++++++++++++-
 minimal/modules/dnpm-node-compose.yml | 18 +++++++++++++++++-
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/ccp/modules/dnpm-node-compose.yml b/ccp/modules/dnpm-node-compose.yml
index 6f85ca54..75880f85 100644
--- a/ccp/modules/dnpm-node-compose.yml
+++ b/ccp/modules/dnpm-node-compose.yml
@@ -74,9 +74,25 @@ services:
         condition: service_healthy
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)"
       - "traefik.http.services.dnpm-backend.loadbalancer.server.port=9000"
+      # expose everything
+      - "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)"
       - "traefik.http.routers.dnpm-backend.tls=true"
+      - "traefik.http.routers.dnpm-backend.service=dnpm-backend"
+      # except ETL
+      - "traefik.http.routers.dnpm-backend-etl.rule=PathRegexp(`^/api(/.*)?etl(/.*)?$`)"
+      - "traefik.http.routers.dnpm-backend-etl.tls=true"
+      - "traefik.http.routers.dnpm-backend-etl.service=dnpm-backend"
+      # this needs an ETL processor with support for basic auth
+      - "traefik.http.routers.dnpm-backend-etl.middlewares=auth"
+      # except peer-to-peer
+      - "traefik.http.routers.dnpm-backend-peer.rule=PathRegexp(`^/api(/.*)?/peer2peer(/.*)?$`)"
+      - "traefik.http.routers.dnpm-backend-peer.tls=true"
+      - "traefik.http.routers.dnpm-backend-peer.service=dnpm-backend"
+      - "traefik.http.routers.dnpm-backend-peer.middlewares=dnpm-backend-peer"
+      # this effectively denies all requests
+      # this is okay, because requests from peers don't go through Traefik
+      - "traefik.http.middlewares.dnpm-backend-peer.ipWhiteList.sourceRange=0.0.0.0/32"
 
   landing:
     labels:
diff --git a/minimal/modules/dnpm-node-compose.yml b/minimal/modules/dnpm-node-compose.yml
index 6f85ca54..75880f85 100644
--- a/minimal/modules/dnpm-node-compose.yml
+++ b/minimal/modules/dnpm-node-compose.yml
@@ -74,9 +74,25 @@ services:
         condition: service_healthy
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)"
       - "traefik.http.services.dnpm-backend.loadbalancer.server.port=9000"
+      # expose everything
+      - "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)"
       - "traefik.http.routers.dnpm-backend.tls=true"
+      - "traefik.http.routers.dnpm-backend.service=dnpm-backend"
+      # except ETL
+      - "traefik.http.routers.dnpm-backend-etl.rule=PathRegexp(`^/api(/.*)?etl(/.*)?$`)"
+      - "traefik.http.routers.dnpm-backend-etl.tls=true"
+      - "traefik.http.routers.dnpm-backend-etl.service=dnpm-backend"
+      # this needs an ETL processor with support for basic auth
+      - "traefik.http.routers.dnpm-backend-etl.middlewares=auth"
+      # except peer-to-peer
+      - "traefik.http.routers.dnpm-backend-peer.rule=PathRegexp(`^/api(/.*)?/peer2peer(/.*)?$`)"
+      - "traefik.http.routers.dnpm-backend-peer.tls=true"
+      - "traefik.http.routers.dnpm-backend-peer.service=dnpm-backend"
+      - "traefik.http.routers.dnpm-backend-peer.middlewares=dnpm-backend-peer"
+      # this effectively denies all requests
+      # this is okay, because requests from peers don't go through Traefik
+      - "traefik.http.middlewares.dnpm-backend-peer.ipWhiteList.sourceRange=0.0.0.0/32"
 
   landing:
     labels: