diff options
| author | Claude <noreply@anthropic.com> | 2026-05-26 21:08:25 +0000 |
|---|---|---|
| committer | Claude <noreply@anthropic.com> | 2026-05-26 21:08:25 +0000 |
| commit | b9d73497efe7c28800040b3e421bfb4cb6af6092 (patch) | |
| tree | 15084a4695c959d19aecdf64d94d0471e62605b2 /internal/config/bind.go | |
| parent | ab4b364954af08fa602388495ca425eaef0abf74 (diff) | |
feat(config,cli): loopback-default binding with fail-loud on external (Phase 7)
The server now defaults to binding 127.0.0.1 and refuses to bind a non-loopback
address (:8484, 0.0.0.0, a LAN IP, …) unless external_bind_allowed = true is set
in config — failing loud at startup instead of silently exposing itself.
External access is expected to go through a reverse proxy (Tailscale / Cloudflare
Access / Caddy), per the locked auth model.
- config: ExternalBindAllowed flag + ValidateBindAddr/isLoopbackHost (tested
across loopback, all-interfaces, LAN, and override cases).
- cli: --addr default is now 127.0.0.1:8484; serve() validates before binding.
Per-client bearer rotation stays deferred (single shared token for now).
https://claude.ai/code/session_01SESwn7kQ7oP62trWw6pc39
Diffstat (limited to 'internal/config/bind.go')
| -rw-r--r-- | internal/config/bind.go | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/internal/config/bind.go b/internal/config/bind.go new file mode 100644 index 0000000..f117385 --- /dev/null +++ b/internal/config/bind.go @@ -0,0 +1,44 @@ +package config + +import ( + "fmt" + "net" +) + +// ValidateBindAddr enforces loopback-by-default binding. It returns an error +// when addr resolves to a non-loopback interface and externalAllowed is false, +// so the server fails loud rather than silently exposing itself. Loopback +// addresses (127.0.0.1, ::1, localhost) always pass. +func ValidateBindAddr(addr string, externalAllowed bool) error { + host, _, err := net.SplitHostPort(addr) + if err != nil { + // No port (or malformed): treat the whole string as the host. + host = addr + } + if isLoopbackHost(host) { + return nil + } + if externalAllowed { + return nil + } + return fmt.Errorf( + "refusing to bind non-loopback address %q: set external_bind_allowed = true to override, "+ + "but prefer fronting external access with a reverse proxy (Tailscale / Cloudflare Access / Caddy)", + addr, + ) +} + +// isLoopbackHost reports whether host is a loopback target. An empty host +// (e.g. ":8484") or 0.0.0.0/:: binds all interfaces and is NOT loopback. +func isLoopbackHost(host string) bool { + switch host { + case "localhost": + return true + case "": + return false + } + if ip := net.ParseIP(host); ip != nil { + return ip.IsLoopback() + } + return false +} |
