[OpenSIPS-Devel] [OpenSIPS/opensips] ed2c80: httpd: harden MI/HTTP interface with safe default ...

Bogdan Andrei IANCU noreply at github.com
Tue Apr 7 15:49:19 UTC 2026 

  Branch: refs/heads/master
  Home:   https://github.com/OpenSIPS/opensips
  Commit: ed2c801d0224272cba5eab4a174308ffd3eb18e7
      https://github.com/OpenSIPS/opensips/commit/ed2c801d0224272cba5eab4a174308ffd3eb18e7
  Author: rdondeti <ravitez.dondeti at gmail.com>
  Date:   2026-03-29 (Sun, 29 Mar 2026)

  Changed paths:
    M modules/httpd/doc/httpd_admin.xml
    M modules/httpd/httpd.c
    M modules/httpd/httpd_proc.c

  Log Message:
  -----------
  httpd: harden MI/HTTP interface with safe default and Basic Auth

Change the default 'ip' modparam from wildcard (0.0.0.0/::) to
127.0.0.1, preventing the management interface from being accidentally
exposed to the network on fresh installations.

Add HTTP Basic Authentication support via three new modparams:
  - auth_realm: the realm string for WWW-Authenticate challenges
  - auth_username: required username for HTTP access
  - auth_password: required password for HTTP access

When both auth_username and auth_password are set, every HTTP
request must present valid Basic Auth credentials.  Requests with
missing or incorrect credentials receive a 401 Unauthorized response.

The authentication check runs once per request (on the first callback
invocation, before allocating per-request state), avoiding redundant
checks on subsequent MHD callbacks and preventing potential resource
leaks during POST processing.

The implementation uses libmicrohttpd's built-in Basic Auth API with
version guards for MHD_free() (available since 0.9.56), falling back
to free() on older versions.

Closes #2939


  Commit: 9efaa7aa113e988790dfa39d1954f561bd79092e
      https://github.com/OpenSIPS/opensips/commit/9efaa7aa113e988790dfa39d1954f561bd79092e
  Author: Bogdan Andrei IANCU <bogdan at opensips.org>
  Date:   2026-04-07 (Tue, 07 Apr 2026)

  Changed paths:
    M modules/httpd/doc/httpd_admin.xml
    M modules/httpd/httpd.c
    M modules/httpd/httpd_proc.c

  Log Message:
  -----------
  Merge pull request #3851 from dondetir/feature/mi-http-security-hardening

httpd: harden MI/HTTP interface with safe default and Basic Auth


Compare: https://github.com/OpenSIPS/opensips/compare/89055ff3a2fe...9efaa7aa113e

To unsubscribe from these emails, change your notification settings at https://github.com/OpenSIPS/opensips/settings/notifications

More information about the Devel mailing list