feat(userspace/falco): implement configuration of webserver listening

address Currently the webserver is listening on the hard coded 0.0.0.0. This patch keeps this default but allows the administrator to change it. Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
2025-09-25 20:30:47 +00:00 · 2023-10-21 22:39:24 +02:00
parent f5985720f1
commit 91a9717779
6 changed files with 24 additions and 3 deletions
--- a/falco.yaml
+++ b/falco.yaml
@@ -492,6 +492,8 @@ webserver:
  # the appropriate number of threads based on the number of online cores in the system.
  threadiness: 0
  listen_port: 8765
+  # IPV4 only is supported
+  listen_address: 0.0.0.0
  k8s_healthz_endpoint: /healthz
  ssl_enabled: false
  ssl_certificate: /etc/falco/falco.pem
--- a/userspace/falco/app/actions/start_webserver.cpp
+++ b/userspace/falco/app/actions/start_webserver.cpp
@@ -38,7 +38,9 @@ falco::app::run_result falco::app::actions::start_webserver(falco::app::state& s
 		std::string ssl_option = (s.config->m_webserver_ssl_enabled ? " (SSL)" : "");
 		falco_logger::log(LOG_INFO, "Starting health webserver with threadiness "
 			+ std::to_string(s.config->m_webserver_threadiness)
-			+ ", listening on port "
+			+ ", listening on "
+			+ s.config->m_webserver_listen_address
+			+ ":"
 			+ std::to_string(s.config->m_webserver_listen_port)
 			+ ssl_option + "\n");

@@ -46,6 +48,7 @@ falco::app::run_result falco::app::actions::start_webserver(falco::app::state& s
 			s.offline_inspector,
 			s.config->m_webserver_threadiness,
 			s.config->m_webserver_listen_port, 
+			s.config->m_webserver_listen_address,
 			s.config->m_webserver_k8s_healthz_endpoint,
 			s.config->m_webserver_ssl_certificate, 
 			s.config->m_webserver_ssl_enabled);
--- a/userspace/falco/configuration.cpp
+++ b/userspace/falco/configuration.cpp
@@ -31,6 +31,12 @@ limitations under the License.
 #include "configuration.h"
 #include "logger.h"

+#include <re2/re2.h>
+
+// Reference: https://www.oreilly.com/library/view/regular-expressions-cookbook/9780596802837/ch07s16.html
+static re2::RE2 ipv4_address_re("^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$");
+
+
 falco_configuration::falco_configuration():
 	m_json_output(false),
 	m_json_include_output_property(true),
@@ -46,6 +52,7 @@ falco_configuration::falco_configuration():
 	m_webserver_enabled(false),
 	m_webserver_threadiness(0),
 	m_webserver_listen_port(8765),
+	m_webserver_listen_address("0.0.0.0"),
 	m_webserver_k8s_healthz_endpoint("/healthz"),
 	m_webserver_ssl_enabled(false),
 	m_syscall_evt_drop_threshold(.1),
@@ -285,6 +292,12 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h
 	m_webserver_enabled = config.get_scalar<bool>("webserver.enabled", false);
 	m_webserver_threadiness = config.get_scalar<uint32_t>("webserver.threadiness", 0);
 	m_webserver_listen_port = config.get_scalar<uint32_t>("webserver.listen_port", 8765);
+	m_webserver_listen_address = config.get_scalar<std::string>("webserver.listen_address", "0.0.0.0");
+	if(!re2::RE2::FullMatch(m_webserver_listen_address, ipv4_address_re))
+	{
+		throw std::logic_error("Error reading config file (" + config_name + "): webserver listen address \"" + m_webserver_listen_address + "\" is not a valid IP address");
+	}
+
 	m_webserver_k8s_healthz_endpoint = config.get_scalar<std::string>("webserver.k8s_healthz_endpoint", "/healthz");
 	m_webserver_ssl_enabled = config.get_scalar<bool>("webserver.ssl_enabled", false);
 	m_webserver_ssl_certificate = config.get_scalar<std::string>("webserver.ssl_certificate", "/etc/falco/falco.pem");
--- a/userspace/falco/configuration.h
+++ b/userspace/falco/configuration.h
@@ -85,6 +85,7 @@ public:
 	bool m_webserver_enabled;
 	uint32_t m_webserver_threadiness;
 	uint32_t m_webserver_listen_port;
+	std::string m_webserver_listen_address;
 	std::string m_webserver_k8s_healthz_endpoint;
 	bool m_webserver_ssl_enabled;
 	std::string m_webserver_ssl_certificate;
--- a/userspace/falco/webserver.cpp
+++ b/userspace/falco/webserver.cpp
@@ -29,6 +29,7 @@ void falco_webserver::start(
        const std::shared_ptr<sinsp>& inspector,
        uint32_t threadiness,
        uint32_t listen_port,
+        std::string& listen_address,
        std::string& healthz_endpoint,
        std::string &ssl_certificate,
        bool ssl_enabled)
@@ -77,11 +78,11 @@ void falco_webserver::start(

    std::atomic<bool> failed;
    failed.store(false, std::memory_order_release);
-    m_server_thread = std::thread([this, listen_port, &failed]
+    m_server_thread = std::thread([this, listen_address, listen_port, &failed]
    {
        try
        {
-            this->m_server->listen("0.0.0.0", listen_port);
+            this->m_server->listen(listen_address, listen_port);
        }
        catch(std::exception &e)
        {
--- a/userspace/falco/webserver.h
+++ b/userspace/falco/webserver.h
@@ -37,6 +37,7 @@ public:
 		const std::shared_ptr<sinsp>& inspector,
 		uint32_t threadiness,
 		uint32_t listen_port,
+		std::string& list_address,
 		std::string& healthz_endpoint,
 		std::string &ssl_certificate,
 		bool ssl_enabled);