@@ -42,21 +42,24 @@ flowchart LR
4242Each steps needs to be ran on either your firewalla device or your Kubernetes cluster. The headers tell you where you should run it.
4343
4444``` diff
45- - Very Important Notice
46- - This project is meant to run on a secure local network.
47- - DO NOT expose the firewalla side of this project to the internet. (default port 8888)
48- - At the moment there is no http authorization in place for its API.
49- - Which means anyone with access to your firewalla will be able to create/manage/delete dns records.
50- - If you port forward the service port, anyone on the internet will be able to do the same.
45+ + Security Notice
46+ + This project uses JWT authentication with a shared secret between the webhook proxy
47+ + and the Firewalla provider. Ensure your SHARED_SECRET is strong and kept secure.
48+ + Only expose the webhook proxy to trusted networks within your Kubernetes cluster.
5149```
5250
53- ### 1. Install the Webhook Provider (Firewalla)
51+ ### 1. Install the Webhook Provider (Firewalla)
5452
5553SSH into your Firewalla as the ` pi ` user and run:
5654
57- #### Set your domain filter
55+ #### Set your domain filter and shared secret
5856``` bash
57+ # Set your domain filter
5958echo " home.local,*.home.local" > /tmp/external-dns-domain-filter
59+
60+ # Generate and set a secure shared secret (same secret must be used in Kubernetes)
61+ openssl rand -hex 32 > /tmp/external-dns-shared-secret
62+ # Or manually set: echo "your-secure-random-secret-here" > /tmp/external-dns-shared-secret
6063````
6164# ### Install the provider
6265` ` ` bash
@@ -76,16 +79,18 @@ provider:
7679 repository: ghcr.io/theoutdoorprogrammer/external-dns-firewalla-webhook
7780 tag: 1.0.0
7881 env:
79- - name: FIREWALLA_HOST
80- value: " 192.168.229.1"
81- - name: FIREWALLA_PROVIDER_PORT
82- value: " 8888"
83- - name: FIREWALLA_HEALTH_PORT
84- value: " 8080"
85- - name: WEBHOOK_PORT
86- value: " 8888"
87- - name: METRICS_PORT
88- value: " 8080"
82+ - name: FIREWALLA_HOST
83+ value: " 192.168.229.1"
84+ - name: FIREWALLA_PROVIDER_PORT
85+ value: " 8888"
86+ - name: FIREWALLA_HEALTH_PORT
87+ value: " 8080"
88+ - name: WEBHOOK_PORT
89+ value: " 8888"
90+ - name: METRICS_PORT
91+ value: " 8080"
92+ - name: SHARED_SECRET
93+ value: " your-secure-shared-secret-here" # Must match Firewalla shared secret
8994 livenessProbe:
9095 httpGet:
9196 path: /health
@@ -150,6 +155,7 @@ Configure via `/opt/external-dns-firewalla-webhook/.env`:
150155
151156` ` ` bash
152157DOMAIN_FILTER=home.local,* .home.local
158+ SHARED_SECRET=your-secure-shared-secret-here
153159PORT_PROVIDER=8888
154160PORT_HEALTH=8080
155161DNS_TTL=300
@@ -168,6 +174,7 @@ Environment variables for the sidecar container:
168174- ` FIREWALLA_HEALTH_PORT` : Health check port on Firewalla (default: 8080)
169175- ` WEBHOOK_PORT` : Port for webhook proxy to listen on (default: 8888)
170176- ` METRICS_PORT` : Port for health/metrics endpoints (default: 8080)
177+ - ` SHARED_SECRET` : Shared secret for JWT authentication (must match Firewalla provider)
171178
172179# # Supported Record Types
173180
0 commit comments