YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #1451 from Tagadda/enh-ipv6-only

Browse source 
Add a global setting for DNS exposure given the IP version
This commit is contained in:
Alexandre Aubin 2023-01-30 16:24:05 +01:00 committed by GitHub
commit 396b0f4ef2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 33 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
locales/en.json
View file

@ -245,6 +245,7 @@
"diagnosis_ip_no_ipv4": "The server does not have working IPv4.",
"diagnosis_ip_no_ipv6": "The server does not have working IPv6.",
"diagnosis_ip_no_ipv6_tip": "Having a working IPv6 is not mandatory for your server to work, but it is better for the health of the Internet as a whole. IPv6 should usually be automatically configured by the system or your provider if it's available. Otherwise, you might need to configure a few things manually as explained in the documentation here: <a href='https://yunohost.org/#/ipv6'>https://yunohost.org/#/ipv6</a>. If you cannot enable IPv6 or if it seems too technical for you, you can also safely ignore this warning.",
"diagnosis_ip_no_ipv6_tip_important": "IPv6 should usually be automatically configured by the system or your provider if it's available. Otherwise, you might need to configure a few things manually as explained in the documentation here: <a href='https://yunohost.org/#/ipv6'>https://yunohost.org/#/ipv6</a>.",
"diagnosis_ip_not_connected_at_all": "The server does not seem to be connected to the Internet at all!?",
"diagnosis_ip_weird_resolvconf": "DNS resolution seems to be working, but it looks like you're using a custom <code>/etc/resolv.conf</code>.",
"diagnosis_ip_weird_resolvconf_details": "The file <code>/etc/resolv.conf</code> should be a symlink to <code>/etc/resolvconf/run/resolv.conf</code> itself pointing to <code>127.0.0.1</code> (dnsmasq). If you want to manually configure DNS resolvers, please edit <code>/etc/resolv.dnsmasq.conf</code>.",
@ -399,6 +400,8 @@
"firewall_reloaded": "Firewall reloaded",
"firewall_rules_cmd_failed": "Some firewall rule commands have failed. More info in log.",
"global_settings_reset_success": "Reset global settings",
"global_settings_setting_dns_exposure": "IP versions to consider for DNS configuration and diagnosis",
"global_settings_setting_dns_exposure_help": "NB: This only affects the recommended DNS configuration and diagnosis checks. This does not affect system configurations.",
"global_settings_setting_admin_strength": "Admin password strength requirements",
"global_settings_setting_admin_strength_help": "These requirements are only enforced when initializing or changing the password",
"global_settings_setting_backup_compress_tar_archives": "Compress backups",

9
share/config_global.toml
View file

@ -160,3 +160,12 @@ name = "Other"
[misc.backup.backup_compress_tar_archives]
type = "boolean"
default = false
[misc.network]
name = "Network"
[misc.network.dns_exposure]
type = "select"
choices.both = "Both"
choices.ipv4 = "IPv4 Only"
choices.ipv6 = "IPv6 Only"
default = "both"

10
src/diagnosers/10-ip.py
View file

@ -28,6 +28,7 @@ from moulinette.utils.filesystem import read_file
from yunohost.diagnosis import Diagnoser
from yunohost.utils.network import get_network_interfaces
from yunohost.settings import settings_get
logger = log.getActionLogger("yunohost.diagnosis")
@ -118,10 +119,13 @@ class MyDiagnoser(Diagnoser):
else:
return local_ip
def is_ipvx_important(x):
return settings_get("misc.network.dns_exposure") in ["both", "ipv"+str(x)]
yield dict(
meta={"test": "ipv4"},
data={"global": ipv4, "local": get_local_ip("ipv4")},
status="SUCCESS" if ipv4 else "ERROR",
status="SUCCESS" if ipv4 else "ERROR" if is_ipvx_important(4) else "WARNING",
summary="diagnosis_ip_connected_ipv4" if ipv4 else "diagnosis_ip_no_ipv4",
details=["diagnosis_ip_global", "diagnosis_ip_local"] if ipv4 else None,
)
@ -129,11 +133,11 @@ class MyDiagnoser(Diagnoser):
yield dict(
meta={"test": "ipv6"},
data={"global": ipv6, "local": get_local_ip("ipv6")},
status="SUCCESS" if ipv6 else "WARNING",
status="SUCCESS" if ipv6 else "ERROR" if is_ipvx_important(6) else "WARNING",
summary="diagnosis_ip_connected_ipv6" if ipv6 else "diagnosis_ip_no_ipv6",
details=["diagnosis_ip_global", "diagnosis_ip_local"]
if ipv6
else ["diagnosis_ip_no_ipv6_tip"],
else ["diagnosis_ip_no_ipv6_tip_important" if is_ipvx_important(6) else "diagnosis_ip_no_ipv6_tip"],
)
# TODO / FIXME : add some attempt to detect ISP (using whois ?) ?

5
src/diagnosers/14-ports.py
View file

@ -21,6 +21,7 @@ from typing import List
from yunohost.diagnosis import Diagnoser
from yunohost.service import _get_services
from yunohost.settings import settings_get
class MyDiagnoser(Diagnoser):
@ -46,7 +47,7 @@ class MyDiagnoser(Diagnoser):
ipversions = []
ipv4 = Diagnoser.get_cached_report("ip", item={"test": "ipv4"}) or {}
if ipv4.get("status") == "SUCCESS":
if ipv4.get("status") == "SUCCESS" or settings_get("misc.network.dns_exposure") != "ipv6":
ipversions.append(4)
# To be discussed: we could also make this check dependent on the
@ -120,7 +121,7 @@ class MyDiagnoser(Diagnoser):
for record in dnsrecords.get("items", [])
)
if failed == 4 or ipv6_is_important():
if (failed == 4 and settings_get("misc.network.dns_exposure") in ["both", "ipv4"]) or (failed == 6 and ipv6_is_important()):
yield dict(
meta={"port": port},
data={

9
src/diagnosers/21-web.py
View file

@ -26,6 +26,7 @@ from moulinette.utils.filesystem import read_file, mkdir, rm
from yunohost.diagnosis import Diagnoser
from yunohost.domain import domain_list
from yunohost.utils.dns import is_special_use_tld
from yunohost.settings import settings_get
DIAGNOSIS_SERVER = "diagnosis.yunohost.org"
@ -76,7 +77,7 @@ class MyDiagnoser(Diagnoser):
ipversions = []
ipv4 = Diagnoser.get_cached_report("ip", item={"test": "ipv4"}) or {}
if ipv4.get("status") == "SUCCESS":
if ipv4.get("status") == "SUCCESS" and settings_get("misc.network.dns_exposure") in ["both", "ipv4"]:
ipversions.append(4)
# To be discussed: we could also make this check dependent on the
@ -96,7 +97,7 @@ class MyDiagnoser(Diagnoser):
# "curl --head the.global.ip" will simply timeout...
if self.do_hairpinning_test:
global_ipv4 = ipv4.get("data", {}).get("global", None)
if global_ipv4:
if global_ipv4 and settings_get("misc.network.dns_exposure") in ["both", "ipv4"]:
try:
requests.head("http://" + global_ipv4, timeout=5)
except requests.exceptions.Timeout:
@ -147,7 +148,7 @@ class MyDiagnoser(Diagnoser):
if all(
results[ipversion][domain]["status"] == "ok" for ipversion in ipversions
):
if 4 in ipversions:
if 4 in ipversions and settings_get("misc.network.dns_exposure") in ["both", "ipv4"]:
self.do_hairpinning_test = True
yield dict(
meta={"domain": domain},
@ -185,7 +186,7 @@ class MyDiagnoser(Diagnoser):
)
AAAA_status = dnsrecords.get("data", {}).get("AAAA:@")
return AAAA_status in ["OK", "WRONG"]
return AAAA_status in ["OK", "WRONG"] or settings_get("misc.network.dns_exposure") in ["both", "ipv6"]
if failed == 4 or ipv6_is_important_for_this_domain():
yield dict(

5
src/diagnosers/24-mail.py
View file

@ -31,6 +31,7 @@ from yunohost.diagnosis import Diagnoser
from yunohost.domain import _get_maindomain, domain_list
from yunohost.settings import settings_get
from yunohost.utils.dns import dig
from yunohost.settings import settings_get
DEFAULT_DNS_BLACKLIST = "/usr/share/yunohost/dnsbl_list.yml"
@ -301,13 +302,13 @@ class MyDiagnoser(Diagnoser):
outgoing_ipversions = []
outgoing_ips = []
ipv4 = Diagnoser.get_cached_report("ip", {"test": "ipv4"}) or {}
if ipv4.get("status") == "SUCCESS":
if ipv4.get("status") == "SUCCESS" and settings_get("misc.network.dns_exposure") in ["both", "ipv4"]:
outgoing_ipversions.append(4)
global_ipv4 = ipv4.get("data", {}).get("global", {})
if global_ipv4:
outgoing_ips.append(global_ipv4)
if settings_get("email.smtp.smtp_allow_ipv6"):
if settings_get("email.smtp.smtp_allow_ipv6") or settings_get("misc.network.dns_exposure") in ["both", "ipv6"]:
ipv6 = Diagnoser.get_cached_report("ip", {"test": "ipv6"}) or {}
if ipv6.get("status") == "SUCCESS":
outgoing_ipversions.append(6)

5
src/dns.py
View file

@ -38,6 +38,7 @@ from yunohost.domain import (
from yunohost.utils.dns import dig, is_yunohost_dyndns_domain, is_special_use_tld
from yunohost.utils.error import YunohostValidationError, YunohostError
from yunohost.utils.network import get_public_ip
from yunohost.settings import settings_get
from yunohost.log import is_unit_operation
from yunohost.hook import hook_callback
@ -185,7 +186,7 @@ def _build_dns_conf(base_domain, include_empty_AAAA_if_no_ipv6=False):
###########################
# Basic ipv4/ipv6 records #
###########################
if ipv4:
if ipv4 and settings_get("misc.network.dns_exposure") in ["both", "ipv4"]:
basic.append([basename, ttl, "A", ipv4])
if ipv6:
@ -240,7 +241,7 @@ def _build_dns_conf(base_domain, include_empty_AAAA_if_no_ipv6=False):
# Only recommend wildcard and CAA for the top level
if domain == base_domain:
if ipv4:
if ipv4 and settings_get("misc.network.dns_exposure") in ["both", "ipv4"]:
extra.append([f"*{suffix}", ttl, "A", ipv4])
if ipv6: