Mirror von
https://github.com/PaperMC/Velocity.git
synchronisiert 2024-11-16 21:10:30 +01:00
Add config support for using file as forwarding secret (#712)
* add config support for using file as forwarding secret * deprecate forwarding-secret and change default to forwarding-secret-file * change forwarding-secret-file handling to a versioned system
Dieser Commit ist enthalten in:
Ursprung
e45ca5f357
Commit
da52d09338
@ -422,6 +422,12 @@ public class VelocityConfiguration implements ProxyConfig {
|
||||
throw new RuntimeException("Default configuration file does not exist.");
|
||||
}
|
||||
|
||||
// Create the forwarding-secret file on first-time startup if it doesn't exist
|
||||
Path defaultForwardingSecretPath = Path.of("forwarding.secret");
|
||||
if (!path.toFile().exists() && !defaultForwardingSecretPath.toFile().exists()) {
|
||||
Files.writeString(defaultForwardingSecretPath, generateRandomString(12));
|
||||
}
|
||||
|
||||
boolean mustResave = false;
|
||||
CommentedFileConfig config = CommentedFileConfig.builder(path)
|
||||
.defaultData(defaultConfigLocation)
|
||||
@ -442,14 +448,39 @@ public class VelocityConfiguration implements ProxyConfig {
|
||||
CommentedFileConfig defaultConfig = CommentedFileConfig.of(tmpFile, TomlFormat.instance());
|
||||
defaultConfig.load();
|
||||
|
||||
// Retrieve the forwarding secret. First, from environment variable, then from config.
|
||||
// Whether or not this config is version 1.0 which uses the deprecated "forwarding-secret" parameter
|
||||
boolean legacyConfig = config.getOrElse("config-version", "").equalsIgnoreCase("1.0");
|
||||
|
||||
String forwardingSecretString;
|
||||
byte[] forwardingSecret;
|
||||
String forwardingSecretString = System.getenv()
|
||||
.getOrDefault("VELOCITY_FORWARDING_SECRET", config.get("forwarding-secret"));
|
||||
if (forwardingSecretString == null || forwardingSecretString.isEmpty()) {
|
||||
forwardingSecretString = generateRandomString(12);
|
||||
config.set("forwarding-secret", forwardingSecretString);
|
||||
mustResave = true;
|
||||
|
||||
// Handle the previous (version 1.0) config
|
||||
// There is duplicate/old code here in effort to make the future commit which abandons legacy config handling
|
||||
// easier to implement. All that would be required is removing the if statement here and keeping the contents
|
||||
// of the else block (with slight tidying).
|
||||
if (legacyConfig) {
|
||||
logger.warn("You are currently using a deprecated configuration version. The \"forwarding-secret\""
|
||||
+ " parameter has been recognized as a security concern and has been removed in config version 2.0."
|
||||
+ " It's recommended you rename your current \"velocity.toml\" to something else to allow Velocity"
|
||||
+ " to generate a config file of the new version. You may then configure that file as you normally would."
|
||||
+ " The only differences are the config-version and \"forwarding-secret\" has been replaced"
|
||||
+ " by \"forwarding-secret-file\".");
|
||||
|
||||
// Default legacy handling
|
||||
forwardingSecretString = System.getenv()
|
||||
.getOrDefault("VELOCITY_FORWARDING_SECRET", config.get("forwarding-secret"));
|
||||
if (forwardingSecretString == null || forwardingSecretString.isEmpty()) {
|
||||
forwardingSecretString = generateRandomString(12);
|
||||
config.set("forwarding-secret", forwardingSecretString);
|
||||
mustResave = true;
|
||||
}
|
||||
} else {
|
||||
// New handling
|
||||
forwardingSecretString = System.getenv().getOrDefault("VELOCITY_FORWARDING_SECRET", "");
|
||||
if (forwardingSecretString.isEmpty()) {
|
||||
String forwardSecretFile = config.getOrElse("forwarding-secret-file", "");
|
||||
forwardingSecretString = String.join("", Files.readAllLines(Path.of(forwardSecretFile)));
|
||||
}
|
||||
}
|
||||
forwardingSecret = forwardingSecretString.getBytes(StandardCharsets.UTF_8);
|
||||
|
||||
@ -480,6 +511,14 @@ public class VelocityConfiguration implements ProxyConfig {
|
||||
Boolean kickExisting = config.getOrElse("kick-existing-players", false);
|
||||
Boolean enablePlayerAddressLogging = config.getOrElse("enable-player-address-logging", true);
|
||||
|
||||
// Throw an exception if the forwarding-secret file is empty and the proxy is using a
|
||||
// forwarding mode that requires it.
|
||||
if (forwardingSecret.length == 0
|
||||
&& forwardingMode == PlayerInfoForwarding.MODERN
|
||||
|| forwardingMode == PlayerInfoForwarding.BUNGEEGUARD) {
|
||||
throw new RuntimeException("The forwarding-secret file must not be empty.");
|
||||
}
|
||||
|
||||
return new VelocityConfiguration(
|
||||
bind,
|
||||
motd,
|
||||
|
@ -1,5 +1,5 @@
|
||||
# Config version. Do not change this
|
||||
config-version = "1.0"
|
||||
config-version = "2.0"
|
||||
|
||||
# What port should the proxy be bound to? By default, we'll bind to all addresses on port 25577.
|
||||
bind = "0.0.0.0:25577"
|
||||
@ -36,8 +36,9 @@ prevent-client-proxy-connections = false
|
||||
# Velocity's native forwarding. Only applicable for Minecraft 1.13 or higher.
|
||||
player-info-forwarding-mode = "NONE"
|
||||
|
||||
# If you are using modern or BungeeGuard IP forwarding, configure a unique secret here.
|
||||
forwarding-secret = ""
|
||||
# If you are using modern or BungeeGuard IP forwarding, configure a file that contains a unique secret here.
|
||||
# The file is expected to be UTF-8 encoded and not empty.
|
||||
forwarding-secret-file = "forwarding.secret"
|
||||
|
||||
# Announce whether or not your server supports Forge. If you run a modded server, we
|
||||
# suggest turning this on.
|
||||
@ -151,4 +152,4 @@ port = 25577
|
||||
map = "Velocity"
|
||||
|
||||
# Whether plugins should be shown in query response by default or not
|
||||
show-plugins = false
|
||||
show-plugins = false
|
||||
|
Laden…
In neuem Issue referenzieren
Einen Benutzer sperren