summaryrefslogtreecommitdiff
path: root/internal/config/bind.go
diff options
context:
space:
mode:
authorClaude <noreply@anthropic.com>2026-05-26 21:08:25 +0000
committerClaude <noreply@anthropic.com>2026-05-26 21:08:25 +0000
commitb9d73497efe7c28800040b3e421bfb4cb6af6092 (patch)
tree15084a4695c959d19aecdf64d94d0471e62605b2 /internal/config/bind.go
parentab4b364954af08fa602388495ca425eaef0abf74 (diff)
feat(config,cli): loopback-default binding with fail-loud on external (Phase 7)
The server now defaults to binding 127.0.0.1 and refuses to bind a non-loopback address (:8484, 0.0.0.0, a LAN IP, …) unless external_bind_allowed = true is set in config — failing loud at startup instead of silently exposing itself. External access is expected to go through a reverse proxy (Tailscale / Cloudflare Access / Caddy), per the locked auth model. - config: ExternalBindAllowed flag + ValidateBindAddr/isLoopbackHost (tested across loopback, all-interfaces, LAN, and override cases). - cli: --addr default is now 127.0.0.1:8484; serve() validates before binding. Per-client bearer rotation stays deferred (single shared token for now). https://claude.ai/code/session_01SESwn7kQ7oP62trWw6pc39
Diffstat (limited to 'internal/config/bind.go')
-rw-r--r--internal/config/bind.go44
1 files changed, 44 insertions, 0 deletions
diff --git a/internal/config/bind.go b/internal/config/bind.go
new file mode 100644
index 0000000..f117385
--- /dev/null
+++ b/internal/config/bind.go
@@ -0,0 +1,44 @@
+package config
+
+import (
+ "fmt"
+ "net"
+)
+
+// ValidateBindAddr enforces loopback-by-default binding. It returns an error
+// when addr resolves to a non-loopback interface and externalAllowed is false,
+// so the server fails loud rather than silently exposing itself. Loopback
+// addresses (127.0.0.1, ::1, localhost) always pass.
+func ValidateBindAddr(addr string, externalAllowed bool) error {
+ host, _, err := net.SplitHostPort(addr)
+ if err != nil {
+ // No port (or malformed): treat the whole string as the host.
+ host = addr
+ }
+ if isLoopbackHost(host) {
+ return nil
+ }
+ if externalAllowed {
+ return nil
+ }
+ return fmt.Errorf(
+ "refusing to bind non-loopback address %q: set external_bind_allowed = true to override, "+
+ "but prefer fronting external access with a reverse proxy (Tailscale / Cloudflare Access / Caddy)",
+ addr,
+ )
+}
+
+// isLoopbackHost reports whether host is a loopback target. An empty host
+// (e.g. ":8484") or 0.0.0.0/:: binds all interfaces and is NOT loopback.
+func isLoopbackHost(host string) bool {
+ switch host {
+ case "localhost":
+ return true
+ case "":
+ return false
+ }
+ if ip := net.ParseIP(host); ip != nil {
+ return ip.IsLoopback()
+ }
+ return false
+}