10 лет назад · 9603dce469
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@@ -121,6 +121,9 @@ cookie_remember_name = grafana_remember
 
				 # disable gravatar profile images
			
 
				 disable_gravatar = false
			
 
				 
			
 
				+# data source proxy whitelist (ip_or_domain:port seperated by spaces)
			
 
				+data_source_proxy_whitelist =
			
 
				+
			
 
				 #################################### Users ####################################
			
 
				 [users]
			
 
				 # disable user signup / registration
			
--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -3,7 +3,7 @@
 
				 # Everything has defaults so you only need to uncomment things you want to
			
 
				 # change
			
 
				 
			
 
				-# possible values : production, development    
			
 
				+# possible values : production, development
			
 
				 ; app_mode = production
			
 
				 
			
 
				 #################################### Paths ####################################
			
@@ -117,6 +117,9 @@
 
				 # disable gravatar profile images
			
 
				 ;disable_gravatar = false
			
 
				 
			
 
				+# data source proxy whitelist (ip_or_domain:port seperated by spaces)
			
 
				+;data_source_proxy_whitelist =
			
 
				+
			
 
				 #################################### Users ####################################
			
 
				 [users]
			
 
				 # disable user signup / registration
			
--- a/pkg/api/dataproxy.go
+++ b/pkg/api/dataproxy.go
@@ -11,6 +11,7 @@ import (
 
				 	"github.com/grafana/grafana/pkg/bus"
			
 
				 	"github.com/grafana/grafana/pkg/middleware"
			
 
				 	m "github.com/grafana/grafana/pkg/models"
			
 
				+	"github.com/grafana/grafana/pkg/setting"
			
 
				 	"github.com/grafana/grafana/pkg/util"
			
 
				 )
			
 
				 
			
@@ -24,30 +25,28 @@ var dataProxyTransport = &http.Transport{
 
				 	TLSHandshakeTimeout: 10 * time.Second,
			
 
				 }
			
 
				 
			
 
				-func NewReverseProxy(ds *m.DataSource, proxyPath string) *httputil.ReverseProxy {
			
 
				-	target, _ := url.Parse(ds.Url)
			
 
				-
			
 
				+func NewReverseProxy(ds *m.DataSource, proxyPath string, targetUrl *url.URL) *httputil.ReverseProxy {
			
 
				 	director := func(req *http.Request) {
			
 
				-		req.URL.Scheme = target.Scheme
			
 
				-		req.URL.Host = target.Host
			
 
				-		req.Host = target.Host
			
 
				+		req.URL.Scheme = targetUrl.Scheme
			
 
				+		req.URL.Host = targetUrl.Host
			
 
				+		req.Host = targetUrl.Host
			
 
				 
			
 
				 		reqQueryVals := req.URL.Query()
			
 
				 
			
 
				 		if ds.Type == m.DS_INFLUXDB_08 {
			
 
				-			req.URL.Path = util.JoinUrlFragments(target.Path, "db/"+ds.Database+"/"+proxyPath)
			
 
				+			req.URL.Path = util.JoinUrlFragments(targetUrl.Path, "db/"+ds.Database+"/"+proxyPath)
			
 
				 			reqQueryVals.Add("u", ds.User)
			
 
				 			reqQueryVals.Add("p", ds.Password)
			
 
				 			req.URL.RawQuery = reqQueryVals.Encode()
			
 
				 		} else if ds.Type == m.DS_INFLUXDB {
			
 
				-			req.URL.Path = util.JoinUrlFragments(target.Path, proxyPath)
			
 
				+			req.URL.Path = util.JoinUrlFragments(targetUrl.Path, proxyPath)
			
 
				 			reqQueryVals.Add("db", ds.Database)
			
 
				 			req.URL.RawQuery = reqQueryVals.Encode()
			
 
				 			if !ds.BasicAuth {
			
 
				 				req.Header.Add("Authorization", util.GetBasicAuthHeader(ds.User, ds.Password))
			
 
				 			}
			
 
				 		} else {
			
 
				-			req.URL.Path = util.JoinUrlFragments(target.Path, proxyPath)
			
 
				+			req.URL.Path = util.JoinUrlFragments(targetUrl.Path, proxyPath)
			
 
				 		}
			
 
				 
			
 
				 		if ds.BasicAuth {
			
@@ -72,11 +71,20 @@ func ProxyDataSourceRequest(c *middleware.Context) {
 
				 		return
			
 
				 	}
			
 
				 
			
 
				+	ds := query.Result
			
 
				+	targetUrl, _ := url.Parse(ds.Url)
			
 
				+	if len(setting.DataProxyWhiteList) > 0 {
			
 
				+		if _, exists := setting.DataProxyWhiteList[targetUrl.Host]; !exists {
			
 
				+			c.JsonApiErr(403, "Data proxy hostname and ip are not included in whitelist", nil)
			
 
				+			return
			
 
				+		}
			
 
				+	}
			
 
				+
			
 
				 	if query.Result.Type == m.DS_CLOUDWATCH {
			
 
				 		ProxyCloudWatchDataSourceRequest(c)
			
 
				 	} else {
			
 
				 		proxyPath := c.Params("*")
			
 
				-		proxy := NewReverseProxy(&query.Result, proxyPath)
			
 
				+		proxy := NewReverseProxy(&ds, proxyPath, targetUrl)
			
 
				 		proxy.Transport = dataProxyTransport
			
 
				 		proxy.ServeHTTP(c.RW(), c.Req.Request)
			
 
				 	}
			
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -73,6 +73,7 @@ var (
 
				 	CookieRememberName    string
			
 
				 	DisableGravatar       bool
			
 
				 	EmailCodeValidMinutes int
			
 
				+	DataProxyWhiteList    map[string]bool
			
 
				 
			
 
				 	// User settings
			
 
				 	AllowUserSignUp    bool
			
@@ -378,6 +379,7 @@ func NewConfigContext(args *CommandLineArgs) {
 
				 	EnableGzip = server.Key("enable_gzip").MustBool(false)
			
 
				 	EnforceDomain = server.Key("enforce_domain").MustBool(false)
			
 
				 
			
 
				+	// read security settings
			
 
				 	security := Cfg.Section("security")
			
 
				 	SecretKey = security.Key("secret_key").String()
			
 
				 	LogInRememberDays = security.Key("login_remember_days").MustInt()
			
@@ -385,6 +387,12 @@ func NewConfigContext(args *CommandLineArgs) {
 
				 	CookieRememberName = security.Key("cookie_remember_name").String()
			
 
				 	DisableGravatar = security.Key("disable_gravatar").MustBool(true)
			
 
				 
			
 
				+	//  read data source proxy white list
			
 
				+	DataProxyWhiteList = make(map[string]bool)
			
 
				+	for _, hostAndIp := range security.Key("data_source_proxy_whitelist").Strings(" ") {
			
 
				+		DataProxyWhiteList[hostAndIp] = true
			
 
				+	}
			
 
				+
			
 
				 	// admin
			
 
				 	AdminUser = security.Key("admin_user").String()
			
 
				 	AdminPassword = security.Key("admin_password").String()