starred/acme-dns
1
0
Fork 0
mirror of https://github.com/acme-dns/acme-dns.git synced 2026-04-27 04:45:48 +03:00
Code Issues 178 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #216] Some basic form of access control #101

New issue
Open
opened 2026-03-13 15:46:47 +03:00 by kerem · 5 comments
kerem commented 2026-03-13 15:46:47 +03:00
Owner
Copy link

Originally created by @emilazy on GitHub (Mar 19, 2020).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/216

Currently, if running an acme-dns server locally, any user can pollute the database with curl -X POST .../register, and if serving the API over the network then firewalling is the only access control available.

It's probably not a good idea for acme-dns to grow complex authentication mechanisms – anyone exposing it over the network with such needs should probably be running it behind a reverse proxy anyway – but it would be nice if e.g. HTTP Authorization: Basic with a simple shared secret was supported.

Originally created by @emilazy on GitHub (Mar 19, 2020). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/216 Currently, if running an acme-dns server locally, any user can pollute the database with `curl -X POST .../register`, and if serving the API over the network then firewalling is the only access control available. It's probably not a good idea for acme-dns to grow complex authentication mechanisms – anyone exposing it over the network with such needs should probably be running it behind a reverse proxy anyway – but it would be nice if e.g. HTTP `Authorization: Basic` with a simple shared secret was supported.
kerem commented 2026-03-13 15:46:57 +03:00
Author
Owner
Copy link

@webprofusion-chrisc commented on GitHub (Mar 20, 2020):

You'd probably need it to be done in a way that your acme client doesn't need modification, so the easiest thing may be a token in the base url e.g. https://your-acme-dns/6469b532-bf2b-4523-b533-ca8ae4de3f08/register - any other compatible ways?

You can also (as a workaround) just put your http api behind a free cloudflare worker and have that require an auth token as part of the request url (your worker would then validate it, strip out the extra token and forward the real request).

<!-- gh-comment-id:601578140 --> @webprofusion-chrisc commented on GitHub (Mar 20, 2020): You'd probably need it to be done in a way that your acme client doesn't need modification, so the easiest thing may be a token in the base url e.g. https://your-acme-dns/6469b532-bf2b-4523-b533-ca8ae4de3f08/register - any other compatible ways? You can also (as a workaround) just put your http api behind a free cloudflare worker and have that require an auth token as part of the request url (your worker would then validate it, strip out the extra token and forward the real request).
kerem commented 2026-03-13 15:47:03 +03:00
Author
Owner
Copy link

@emilazy commented on GitHub (Mar 20, 2020):

That seems like a reasonable approach; in my integration registration is performed separately to the ACME client so compatibility isn't a big concern, but I agree it's a relevant consideration.

I think an authentication-aware reverse proxy is the best approach for deployment over the internet, but unfortunately it doesn't work very well for the local server case; you can use network namespaces and iptables to do it, but it's a lot of moving parts. Of course, local users being able to register useless subdomains is not much of an attack vector beyond the theoretical DoS potential, but unauthenticated local TCP servers are a bugbear of mine...

In an ideal world acme-dns could listen on a Unix socket and you could use the operating system's usual access control mechanisms. Unfortunately I doubt any ACME client at all supports HTTP over Unix domain sockets :)

<!-- gh-comment-id:601852389 --> @emilazy commented on GitHub (Mar 20, 2020): That seems like a reasonable approach; in my integration registration is performed separately to the ACME client so compatibility isn't a big concern, but I agree it's a relevant consideration. I think an authentication-aware reverse proxy is the best approach for deployment over the internet, but unfortunately it doesn't work very well for the local server case; you can use network namespaces and iptables to do it, but it's a lot of moving parts. Of course, local users being able to register useless subdomains is not much of an attack vector beyond the theoretical DoS potential, but unauthenticated local TCP servers are a bugbear of mine... In an ideal world acme-dns could listen on a Unix socket and you could use the operating system's usual access control mechanisms. Unfortunately I doubt any ACME client at all supports HTTP over Unix domain sockets :)
kerem commented 2026-03-13 15:47:08 +03:00
Author
Owner
Copy link

@jvanasco commented on GitHub (Jun 1, 2020):

I address this concern with another workaround, by toggling whether the /registration endpoint is active or not by adjusting the disable_registration config option.

This method has worked for me, because I only spin up acme-dns via scripts when renewing (or enrolling) domains. The same scripts adjust the iptables too.

I am +1 on there being some sort of access. I like the idea of using a generic token prefix, since that could be easier than HTTP Authorization for most of the clients I have seen – though this is a biased view. (The inverse can also be true and I have no idea what the capabilities are in the total ecosystem or the top 10% of clients.)

The iptables approach i've been using is described in #67

<!-- gh-comment-id:637074759 --> @jvanasco commented on GitHub (Jun 1, 2020): I address this concern with another workaround, by toggling whether the `/registration` endpoint is active or not by adjusting the `disable_registration` config option. This method has worked for me, because I only spin up acme-dns via scripts when renewing (or enrolling) domains. The same scripts adjust the iptables too. I am +1 on there being some sort of access. I like the idea of using a generic token prefix, since that could be easier than HTTP Authorization for most of the clients I have seen – though this is a biased view. (The inverse can also be true and I have no idea what the capabilities are in the total ecosystem or the top 10% of clients.) The iptables approach i've been using is described in #67
kerem commented 2026-03-13 15:47:13 +03:00
Author
Owner
Copy link

@dereckson commented on GitHub (Sep 24, 2020):

A best practice could be to listen publicly to the port 53, but only bind the HTTP endpoint to a private IP accessible by all your servers.

To have a private network across all the servers, through what the ISP offers (vRack at OVH, RPN as Online, VPC at AWS, etc.), virtual cards when you manage your VMs on a hypervisor and at worst GRE tunnels when nothing else can work is a luxury very convenient to solve this kind of problems and avoid a lot of security issues.

<!-- gh-comment-id:698082009 --> @dereckson commented on GitHub (Sep 24, 2020): A best practice could be to listen publicly to the port 53, but only bind the HTTP endpoint to a private IP accessible by all your servers. To have a private network across all the servers, through what the ISP offers (vRack at OVH, RPN as Online, VPC at AWS, etc.), virtual cards when you manage your VMs on a hypervisor and at worst GRE tunnels when nothing else can work is a luxury very convenient to solve this kind of problems and avoid a lot of security issues.
kerem commented 2026-03-13 15:47:18 +03:00
Author
Owner
Copy link

@candlerb commented on GitHub (Feb 21, 2022):

For me, I would simply like to have an "allowed_registration" set of IP blocks, comparable to "allowfrom" for DNS updates.

That is: I don't want to disable registration entirely. But I do want to be able to do register domains on a local trusted host, and then push out the username/password/subdomain to some remote host which is going to request the certificate.

<!-- gh-comment-id:1047230235 --> @candlerb commented on GitHub (Feb 21, 2022): For me, I would simply like to have an "allowed_registration" set of IP blocks, comparable to "allowfrom" for DNS updates. That is: I don't want to disable registration entirely. But I do want to be able to do register domains on a local trusted host, and then push out the username/password/subdomain to some remote host which is going to request the certificate.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
fix_dockerhub
dockerhub
readme2.0
goreleaser_action
refactoring
linter_update_config
update_deps_122
dependabot/go_modules/github.com/valyala/fasthttp-1.34.0
deps_bump
update_goreleaser
update_golint
deps_update
update_dockerfile
v2.0.2
v2.0.1
v2.0
v1.1
v1.0
v0.8
v0.7.2
v0.7.1
v0.7
v0.6
v0.5
v0.4
v0.3.2
v0.3.1
v0.3
v0.2
v0.1
Labels
Clear labels   
Documentation

   
Documentation

   
bug

   
enhancement

   
feature request

   
feature request

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
security

   
security

   
testing
No labels
Documentation
Documentation
bug
enhancement
feature request
feature request
help wanted
pull-request
question
security
security
testing
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/acme-dns#101
No description provided.