Changes to limit debug functionality and add http -> https redirect..

data.go

@@ -81,6 +81,9 @@ type Configuration struct {
 
 	ZapLogger string `json:"zap_logger"` // define zap logger usage
 
+	// debug server info
+	DebugAllowedIPs []string `json:"debug_allowed_ips"` // list of allowed IPs to view debug/profile info
+
 	// Monit pieces
 	MonitType         string `json:"monit_type"`         // monit record type
 	MonitProducer     string `json:"monit_producer"`     // monit record producer

oauth.go

@@ -670,6 +670,9 @@ func oauthProxyServer() {
 
 	// the callback authentication handler
 	http.HandleFunc(fmt.Sprintf("%s/callback", Config.Base), oauthCallbackHandler)
+
+	// Only expose debug endpoints (pprof, expvar) if the client IP is allowed
+	http.HandleFunc("/debug/", debugHandler)
 
 	// the request handler
 	http.HandleFunc("/", oauthRequestHandler)

server.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"crypto/tls"
+        "fmt"
 	"log"
 	"net/http"
 	"time"
@@ -26,6 +27,13 @@ var NumLogicalCores int
 // CMSAuth structure to create CMS Auth headers
 var CMSAuth cmsauth.CMSAuth
 
+// redirectToHTTPS will redirect all HTTP requests to HTTPS
+func redirectToHTTPS(w http.ResponseWriter, r *http.Request) {
+	httpsURL := fmt.Sprintf("https://%s%s", r.Host, r.URL.RequestURI())
+	log.Printf("redirect %s to https\n", r.URL.String())
+	http.Redirect(w, r, httpsURL, http.StatusMovedPermanently)
+}
+
 // Server starts APS server
 func Server(config string, port, metricsPort int, logFile string, useX509, scitokens, rules bool) {
 	err := parseConfig(config)
@@ -124,6 +132,20 @@ func Server(config string, port, metricsPort int, logFile string, useX509, scito
 		Config.CollectorPassword,
 		httpClient)
 
+	// start HTTP server for redirecting http requests to https end-point
+	go func() {
+		httpServer := &http.Server{
+			Addr:    ":80", // HTTP on port 80
+			Handler: http.HandlerFunc(redirectToHTTPS),
+		}
+
+		log.Println("HTTP to HTTPS redirect server is running on port 80...")
+		err := httpServer.ListenAndServe()
+		if err != nil {
+			log.Println("Error starting HTTP server:", err)
+		}
+	}()
+
 	// start our servers
 	if useX509 {
 		if Config.CricURL != "" || Config.CricFile != "" {

utils.go

@@ -14,6 +14,7 @@ import (
 	"io"
 	"io/ioutil"
 	"log"
+        "net"
 	"net/http"
 	"net/url"
 	"os"
@@ -647,3 +648,28 @@ func SetReferrer(r *http.Request) {
 	r.Header.Set("Referer", ref)
 	r.Header.Set("Referrer", ref)
 }
+
+// Checks if the remote IP is in the allowed range
+func isAllowedIP(r *http.Request) bool {
+	// Extract the remote IP from the request (format could be IP:port)
+	ip, _, err := net.SplitHostPort(r.RemoteAddr)
+	if err != nil {
+		log.Printf("Error parsing RemoteAddr: %v\n", err)
+		return false
+	}
+
+	// check if IP is allowed to view debug info
+	return InList(ip, Config.DebugAllowedIPs)
+}
+
+// Middleware to restrict pprof and expvar to allowed IPs
+func debugHandler(w http.ResponseWriter, r *http.Request) {
+	if !isAllowedIP(r) {
+		http.Error(w, "403 Forbidden", http.StatusForbidden)
+		return
+	}
+
+	// Serve the original debug endpoint if the IP is allowed
+	http.DefaultServeMux.ServeHTTP(w, r)
+}
+

x509.go

@@ -124,6 +124,9 @@ func x509ProxyServer() {
 	// the server settings handler
 	http.HandleFunc(fmt.Sprintf("%s/server", Config.Base), settingsHandler)
 
+	// Only expose debug endpoints (pprof, expvar) if the client IP is allowed
+	http.HandleFunc("/debug/", debugHandler)
+
 	// the request handler
 	http.HandleFunc("/", x509RequestHandler)