yggdrasil-network/yggdrasil-go
1
0
Fork 0
mirror of https://github.com/yggdrasil-network/yggdrasil-go.git synced 2025-10-13 08:25:06 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions
yggdrasil-go/src/webui/README.md
Andy Oknen a984fba30d Add brute force protection to authentication system 
- Implemented IP-based blocking after 3 failed login attempts, with a 1-minute lockout period.
- Enhanced login handler to check for blocked IPs and record failed attempts.
- Added tests for brute force protection and successful login clearing failed attempts.
- Updated README and example configuration to document new security features.
2025-07-30 09:19:05 +00:00

115 lines
No EOL
2.8 KiB
Markdown
Raw Blame History

# WebUI Module
This module provides a web interface for managing Yggdrasil node through a browser.
## Features
- ✅ HTTP web server with static files
- ✅ Health check endpoint (`/health`)
- ✅ Development and production build modes
- ✅ Custom session-based authentication
- ✅ Beautiful login page (password-only)
-**Brute force protection** with IP blocking
- ✅ Session management with automatic cleanup
- ✅ IPv4 and IPv6 support
- ✅ Path traversal attack protection
## Configuration
In the Yggdrasil configuration file:
```json
{
"WebUI": {
"Enable": true,
"Port": 9000,
"Host": "",
"Password": "your_secure_password"
}
}
```
### Configuration parameters:
- **`Enable`** - enable/disable WebUI
- **`Port`** - port for web interface (default 9000)
- **`Host`** - IP address to bind to (empty means all interfaces)
- **`Password`** - password for accessing the web interface (optional, if empty no authentication required)
## Usage
### Without password authentication
```go
server := webui.Server("127.0.0.1:9000", "", logger)
```
### With password authentication
```go
server := webui.Server("127.0.0.1:9000", "your_password", logger)
```
### Starting the server
```go
go func() {
if err := server.Start(); err != nil {
logger.Errorf("WebUI server error: %v", err)
}
}()
// To stop
server.Stop()
```
## Endpoints
- **`/`** - main page (index.html) - requires authentication if password is set
- **`/login.html`** - custom login page (only password required)
- **`/auth/login`** - POST endpoint for authentication
- **`/auth/logout`** - logout endpoint (clears session)
- **`/health`** - health check (returns "OK") - no authentication required
- **`/static/*`** - static files (CSS, JS, images) - requires authentication if password is set
## Build modes
### Development mode (`-tags debug`)
- Files loaded from disk from `src/webui/static/`
- File changes available without rebuild
### Production mode (default)
- Files embedded in binary
- Faster loading, smaller deployment size
## Security
- Path traversal attack protection
- Configured HTTP timeouts
- Header size limits
- File MIME type validation
- Custom session-based authentication (password protection)
- HttpOnly and Secure cookies
- Session expiration (24 hours)
- **Brute force protection**: IP blocking after 3 failed attempts
- **Temporary lockout**: 1-minute timeout for blocked IPs
- Automatic cleanup of expired blocks and sessions
- Real IP detection (supports X-Forwarded-For, X-Real-IP headers)
- Health check endpoint always accessible without authentication
## Testing
The module includes a comprehensive test suite:
```bash
cd src/webui
go test -v
```
Tests cover:
- Server creation and management
- HTTP endpoints
- Static files (dev and prod modes)
- Error handling
- Configuration
- Yggdrasil IPv6 binding
Reference in a new issue View git blame Copy permalink