mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-02-19 07:50:43 +01:00
7062b07411
Implements comprehensive node validation system to prevent SSRF attacks
via the temperature proxy. Addresses critical vulnerability where proxy
would SSH to any hostname/IP passing format validation.
Features:
- Configurable allowed_nodes list (hostnames, IPs, CIDR ranges)
- Automatic Proxmox cluster membership validation
- 5-minute cluster membership cache to reduce pvecm overhead
- strict_node_validation option for strict vs permissive modes
- New metric: pulse_proxy_node_validation_failures_total{node,reason}
- Logs blocked attempts at WARN level with 'potential SSRF attempt'
Configuration:
- allowed_nodes: [] (empty = auto-discover from cluster)
- strict_node_validation: true (require cluster membership)
Default behavior: Empty allowlist + Proxmox host = validate cluster
members (secure by default, backwards compatible).
Related to security audit 2025-11-07.
Co-authored-by: Codex <codex@openai.com>
61 lines
2.5 KiB
YAML
61 lines
2.5 KiB
YAML
# Pulse Sensor Proxy Configuration
|
|
# This file is optional. If not provided, the proxy will use sensible defaults.
|
|
|
|
# Network Configuration
|
|
# Specify which networks are allowed to connect to the proxy
|
|
# If not specified, the proxy will auto-detect host IP addresses
|
|
allowed_source_subnets:
|
|
- "127.0.0.1/32" # Localhost
|
|
- "192.168.0.0/24" # Local network
|
|
|
|
# Peer Authorization
|
|
# Specify which UIDs/GIDs are allowed to connect
|
|
# A peer is authorized when its UID OR GID matches one of these entries
|
|
# Required when running Pulse in a container (use mapped UID/GID from container)
|
|
allowed_peer_uids: [100999] # Legacy format; grants all capabilities unless overridden below
|
|
allowed_peer_gids: [100996]
|
|
|
|
# Preferred format with explicit capabilities (read, write, admin)
|
|
allowed_peers:
|
|
- uid: 0
|
|
capabilities: [read, write, admin] # Host root retains full control
|
|
- uid: 100999
|
|
capabilities: [read] # Container peer limited to read-only RPCs
|
|
|
|
require_proxmox_hostkeys: false # Enforce Proxmox-known host keys before falling back to ssh-keyscan
|
|
|
|
# ID-Mapped Root Authentication
|
|
# Allow connections from ID-mapped root users (for LXC containers)
|
|
allow_idmapped_root: true
|
|
allowed_idmap_users:
|
|
- root
|
|
|
|
# Metrics Server
|
|
# Address for Prometheus metrics endpoint
|
|
metrics_address: "127.0.0.1:9127"
|
|
|
|
# Limit SSH output size (bytes) when fetching temperatures
|
|
max_ssh_output_bytes: 1048576 # 1 MiB
|
|
|
|
# Rate Limiting (Optional)
|
|
# Control how frequently peers can make requests to prevent abuse
|
|
# Adjust these values based on your deployment size:
|
|
# - Small (1-3 nodes): Use defaults (1000ms, burst 5)
|
|
# - Medium (4-10 nodes): 500ms, burst 10
|
|
# - Large (10-20 nodes): 250ms, burst 20
|
|
# - Very Large (30+ nodes): 100ms, burst 30-50
|
|
#
|
|
# Formula: To poll all nodes in one cycle, set burst >= node_count
|
|
# For optimal performance: per_peer_interval_ms = (polling_interval_ms / node_count)
|
|
# Example: 10 second polling with 30 nodes = 10000ms / 30 ≈ 300ms interval
|
|
rate_limit:
|
|
per_peer_interval_ms: 1000 # Minimum milliseconds between requests per peer (1000ms = 1 qps = 60 requests/min)
|
|
per_peer_burst: 5 # Number of requests allowed in a burst (supports up to 5 simultaneous requests)
|
|
|
|
# Default values if not specified:
|
|
# per_peer_interval_ms: 1000 (1 second = 1 qps = 60 requests/min)
|
|
# per_peer_burst: 5
|
|
#
|
|
# Security note: Lower intervals increase throughput but also increase exposure
|
|
# to potential abuse. For production, keep interval >= 100ms unless necessary.
|