Skip to content

Commit 59f8566

Browse files
feat: auth
1 parent 4ea80ff commit 59f8566

144 files changed

Lines changed: 9574 additions & 34 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.env.example

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,11 @@
44
# Example: example.com,*.example.com,test.local
55
DOMAIN_FILTER=example.com
66

7+
# Required: Shared secret for JWT authentication between proxy and webhook provider
8+
# This must match the SHARED_SECRET in the proxy configuration
9+
# Generate a secure random string: openssl rand -hex 32
10+
SHARED_SECRET=your-secure-random-secret-here
11+
712
# Optional: Provider API port (default: 8888)
813
PORT_PROVIDER=8888
914

Dockerfile

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,12 @@ LABEL org.opencontainers.image.licenses="MIT"
1010
# Create app directory
1111
WORKDIR /app
1212

13-
# Copy proxy script
13+
# Copy proxy script and package files
1414
COPY webhook-proxy/proxy.js .
15+
COPY package*.json ./
16+
17+
# Install dependencies
18+
RUN npm ci --only=production
1519

1620
# Create non-root user (use existing node user from base image)
1721
RUN chown -R node:node /app

README.md

Lines changed: 25 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -42,21 +42,24 @@ flowchart LR
4242
Each steps needs to be ran on either your firewalla device or your Kubernetes cluster. The headers tell you where you should run it.
4343

4444
```diff
45-
- Very Important Notice
46-
- This project is meant to run on a secure local network.
47-
- DO NOT expose the firewalla side of this project to the internet. (default port 8888)
48-
- At the moment there is no http authorization in place for its API.
49-
- Which means anyone with access to your firewalla will be able to create/manage/delete dns records.
50-
- If you port forward the service port, anyone on the internet will be able to do the same.
45+
+ Security Notice
46+
+ This project uses JWT authentication with a shared secret between the webhook proxy
47+
+ and the Firewalla provider. Ensure your SHARED_SECRET is strong and kept secure.
48+
+ Only expose the webhook proxy to trusted networks within your Kubernetes cluster.
5149
```
5250

53-
### 1. Install the Webhook Provider (Firewalla)
51+
### 1. Install the Webhook Provider (Firewalla)
5452

5553
SSH into your Firewalla as the `pi` user and run:
5654

57-
#### Set your domain filter
55+
#### Set your domain filter and shared secret
5856
```bash
57+
# Set your domain filter
5958
echo "home.local,*.home.local" > /tmp/external-dns-domain-filter
59+
60+
# Generate and set a secure shared secret (same secret must be used in Kubernetes)
61+
openssl rand -hex 32 > /tmp/external-dns-shared-secret
62+
# Or manually set: echo "your-secure-random-secret-here" > /tmp/external-dns-shared-secret
6063
````
6164
#### Install the provider
6265
```bash
@@ -76,16 +79,18 @@ provider:
7679
repository: ghcr.io/theoutdoorprogrammer/external-dns-firewalla-webhook
7780
tag: 1.0.0
7881
env:
79-
- name: FIREWALLA_HOST
80-
value: "192.168.229.1"
81-
- name: FIREWALLA_PROVIDER_PORT
82-
value: "8888"
83-
- name: FIREWALLA_HEALTH_PORT
84-
value: "8080"
85-
- name: WEBHOOK_PORT
86-
value: "8888"
87-
- name: METRICS_PORT
88-
value: "8080"
82+
- name: FIREWALLA_HOST
83+
value: "192.168.229.1"
84+
- name: FIREWALLA_PROVIDER_PORT
85+
value: "8888"
86+
- name: FIREWALLA_HEALTH_PORT
87+
value: "8080"
88+
- name: WEBHOOK_PORT
89+
value: "8888"
90+
- name: METRICS_PORT
91+
value: "8080"
92+
- name: SHARED_SECRET
93+
value: "your-secure-shared-secret-here" # Must match Firewalla shared secret
8994
livenessProbe:
9095
httpGet:
9196
path: /health
@@ -150,6 +155,7 @@ Configure via `/opt/external-dns-firewalla-webhook/.env`:
150155

151156
```bash
152157
DOMAIN_FILTER=home.local,*.home.local
158+
SHARED_SECRET=your-secure-shared-secret-here
153159
PORT_PROVIDER=8888
154160
PORT_HEALTH=8080
155161
DNS_TTL=300
@@ -168,6 +174,7 @@ Environment variables for the sidecar container:
168174
- `FIREWALLA_HEALTH_PORT`: Health check port on Firewalla (default: 8080)
169175
- `WEBHOOK_PORT`: Port for webhook proxy to listen on (default: 8888)
170176
- `METRICS_PORT`: Port for health/metrics endpoints (default: 8080)
177+
- `SHARED_SECRET`: Shared secret for JWT authentication (must match Firewalla provider)
171178

172179
## Supported Record Types
173180

node_modules/.bin/semver

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)