Add Whitelist IP or subnet access to the API when --disable-api-security is set.
FEATURE REQUEST
Description of Request
There have been several requests lately to manage remote instances of siad
using siac
or other clients in a secure way. Remote access is already possible by passing in the --api-addr string
and --disable-api-security
flags to siad
but this solution lacks security. I propose adding an additional flag that would listen to API requests on a public address, but only respond if the client IP is on a whitelist of authorized IPs or subnets.
For example: Suppose I have a corporate LAN with various types of equipment (desktops, phones, printers, smart TVs, etc). I want the desktops to access Sia for Duplicati backups but nothing else should be able to talk to Sia. I would set the SIA_API_PASSWORD
on the desktops and whitelist their IPs on the Sia daemon.
Reason or Need for Feature
The current set of flags either locks down Sia to localhost
only requests or leaves Sia wide open to a potential barrage of unauthorized API requests.
Design / Proposal
Add a --api-whitelist string
flag to siad
that accepts a comma separated list of IPs or subnets to allow through the API.
Rezant also suggested a more complex solution where different IPs were locked down depending on the modules they were trying to access. So you could specify which IPs could access the wallet, and which have access to the renter, etc.