feat(security): Add whitelist, better IP extraction

- Whitelist table with default internal IPs/paths prevents self-blocking
- CRUD API for whitelist management (/api/security/whitelist)
- RejectUnknownDomains config drops connections to unconfigured hosts
- Real client IP extracted from CF-Connecting-IP/X-Forwarded-For headers
- Docker gateway auto-whitelisted on startup
- /stats endpoint includes networks and ports counts

Signed-off-by: nfebe <fenn25.fn@gmail.com>

Author: nfebe

internal/api/security_handlers.go

@@ -264,7 +264,84 @@ func (s *Server) unblockIP(c *gin.Context) {
 	c.JSON(http.StatusOK, gin.H{"message": "IP unblocked successfully"})
 }
 
-// getEventsByIP returns all security events for a specific IP
+func (s *Server) listWhitelist(c *gin.Context) {
+	if s.securityManager == nil {
+		c.JSON(http.StatusServiceUnavailable, gin.H{"error": "Security module not enabled"})
+		return
+	}
+
+	entries, err := s.securityManager.GetWhitelist()
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"whitelist": entries})
+}
+
+func (s *Server) addWhitelistEntry(c *gin.Context) {
+	if s.securityManager == nil {
+		c.JSON(http.StatusServiceUnavailable, gin.H{"error": "Security module not enabled"})
+		return
+	}
+
+	var req struct {
+		Value  string `json:"value" binding:"required"`
+		Type   string `json:"type" binding:"required"`
+		Reason string `json:"reason"`
+	}
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	if req.Type != "ip" && req.Type != "cidr" && req.Type != "path" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Type must be 'ip', 'cidr', or 'path'"})
+		return
+	}
+
+	id, err := s.securityManager.AddWhitelistEntry(req.Value, req.Type, req.Reason)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusCreated, gin.H{"id": id})
+}
+
+func (s *Server) removeWhitelistEntry(c *gin.Context) {
+	if s.securityManager == nil {
+		c.JSON(http.StatusServiceUnavailable, gin.H{"error": "Security module not enabled"})
+		return
+	}
+
+	idStr := c.Param("id")
+	id, err := strconv.ParseInt(idStr, 10, 64)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid ID"})
+		return
+	}
+
+	if err := s.securityManager.RemoveWhitelistEntry(id); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "Entry removed"})
+}
+
+func (s *Server) listWhitelistInternal(c *gin.Context) {
+	token := c.GetHeader("X-Internal-Token")
+	expectedToken := s.config.Security.InternalAPIToken
+
+	if token == "" || token != expectedToken {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid internal token"})
+		return
+	}
+
+	s.listWhitelist(c)
+}
+
 func (s *Server) getEventsByIP(c *gin.Context) {
 	if s.securityManager == nil {
 		c.JSON(http.StatusServiceUnavailable, gin.H{"error": "Security module not enabled"})

internal/api/server.go

@@ -107,6 +107,11 @@ func New(cfg *config.Config, configPath string) *Server {
 			if err := securityManager.InitNginxConfigs(nginxConfigPath); err != nil {
 				log.Printf("Warning: Failed to initialize security nginx configs: %v", err)
 			}
+			// Add Docker gateway IP to whitelist
+			gatewayIP := infraManager.GetDockerHostIP()
+			if err := securityManager.AddDockerGatewayToWhitelist(gatewayIP); err != nil {
+				log.Printf("Warning: Failed to add Docker gateway to whitelist: %v", err)
+			}
 		}
 	}
 
@@ -284,6 +289,9 @@ func (s *Server) setupRoutes() {
 			protected.POST("/security/protected-routes", s.addProtectedRoute)
 			protected.PUT("/security/protected-routes/:id", s.updateProtectedRoute)
 			protected.DELETE("/security/protected-routes/:id", s.deleteProtectedRoute)
+			protected.GET("/security/whitelist", s.listWhitelist)
+			protected.POST("/security/whitelist", s.addWhitelistEntry)
+			protected.DELETE("/security/whitelist/:id", s.removeWhitelistEntry)
 			protected.GET("/security/realtime-capture", s.getRealtimeCaptureStatus)
 			protected.PUT("/security/realtime-capture", s.setRealtimeCaptureStatus)
 			protected.GET("/security/health", s.getSecurityHealth)
@@ -303,8 +311,9 @@ func (s *Server) setupRoutes() {
 		api.POST("/security/events/ingest", s.ingestSecurityEvent)
 		api.POST("/traffic/ingest", s.ingestTrafficLog)
 
-		// Internal nginx endpoint - token-authenticated for blocked IPs
+		// Internal nginx endpoints - token-authenticated
 		api.GET("/_internal/blocked-ips", s.listBlockedIPsInternal)
+		api.GET("/_internal/whitelist", s.listWhitelistInternal)
 	}
 }
 
@@ -1185,12 +1194,13 @@ func (s *Server) getSettings(c *gin.Context) {
 				"subdomain_style": s.config.Domain.SubdomainStyle,
 			},
 			"nginx": gin.H{
-				"enabled":        s.config.Nginx.Enabled,
-				"image":          s.config.Nginx.Image,
-				"container_name": s.config.Nginx.ContainerName,
-				"config_path":    s.config.Nginx.ConfigPath,
-				"reload_command": s.config.Nginx.ReloadCommand,
-				"external":       s.config.Nginx.External,
+				"enabled":                s.config.Nginx.Enabled,
+				"image":                  s.config.Nginx.Image,
+				"container_name":         s.config.Nginx.ContainerName,
+				"config_path":            s.config.Nginx.ConfigPath,
+				"reload_command":         s.config.Nginx.ReloadCommand,
+				"external":               s.config.Nginx.External,
+				"reject_unknown_domains": s.config.Nginx.RejectUnknownDomains,
 			},
 			"certbot": gin.H{
 				"enabled":      s.config.Certbot.Enabled,
@@ -1241,12 +1251,13 @@ func (s *Server) updateSettings(c *gin.Context) {
 			SubdomainStyle string `json:"subdomain_style"`
 		} `json:"domain,omitempty"`
 		Nginx *struct {
-			Enabled       bool   `json:"enabled"`
-			Image         string `json:"image"`
-			ContainerName string `json:"container_name"`
-			ConfigPath    string `json:"config_path"`
-			ReloadCommand string `json:"reload_command"`
-			External      bool   `json:"external"`
+			Enabled              bool   `json:"enabled"`
+			Image                string `json:"image"`
+			ContainerName        string `json:"container_name"`
+			ConfigPath           string `json:"config_path"`
+			ReloadCommand        string `json:"reload_command"`
+			External             bool   `json:"external"`
+			RejectUnknownDomains *bool  `json:"reject_unknown_domains"`
 		} `json:"nginx,omitempty"`
 		Certbot *struct {
 			Enabled     bool   `json:"enabled"`
@@ -1318,6 +1329,9 @@ func (s *Server) updateSettings(c *gin.Context) {
 		if req.Nginx.ReloadCommand != "" {
 			s.config.Nginx.ReloadCommand = req.Nginx.ReloadCommand
 		}
+		if req.Nginx.RejectUnknownDomains != nil {
+			s.config.Nginx.RejectUnknownDomains = *req.Nginx.RejectUnknownDomains
+		}
 	}
 
 	if req.Certbot != nil {
@@ -1426,12 +1440,13 @@ func (s *Server) updateSettings(c *gin.Context) {
 				"subdomain_style": s.config.Domain.SubdomainStyle,
 			},
 			"nginx": gin.H{
-				"enabled":        s.config.Nginx.Enabled,
-				"image":          s.config.Nginx.Image,
-				"container_name": s.config.Nginx.ContainerName,
-				"config_path":    s.config.Nginx.ConfigPath,
-				"reload_command": s.config.Nginx.ReloadCommand,
-				"external":       s.config.Nginx.External,
+				"enabled":                s.config.Nginx.Enabled,
+				"image":                  s.config.Nginx.Image,
+				"container_name":         s.config.Nginx.ContainerName,
+				"config_path":            s.config.Nginx.ConfigPath,
+				"reload_command":         s.config.Nginx.ReloadCommand,
+				"external":               s.config.Nginx.External,
+				"reject_unknown_domains": s.config.Nginx.RejectUnknownDomains,
 			},
 			"certbot": gin.H{
 				"enabled":      s.config.Certbot.Enabled,
@@ -2793,13 +2808,25 @@ func (s *Server) getSystemStats(c *gin.Context) {
 	imageStats, _ := s.networksManager.GetImageStats()
 	volumeStats, _ := s.networksManager.GetVolumeStats()
 
+	var networkCount, portCount int
+	if networks, err := s.networksManager.ListNetworks(); err == nil {
+		networkCount = len(networks)
+	}
+	if containers, err := s.networksManager.ListContainers(); err == nil {
+		for _, container := range containers {
+			portCount += len(container.Ports)
+		}
+	}
+
 	systemStats, _ := system.GetSystemStats()
 
 	c.JSON(http.StatusOK, gin.H{
 		"deployments": stats,
 		"containers":  containerStats,
 		"images":      imageStats,
 		"volumes":     volumeStats,
+		"networks":    gin.H{"total": networkCount},
+		"ports":       gin.H{"total": portCount},
 		"system":      systemStats,
 	})
 }

internal/infra/manager.go

@@ -2,8 +2,15 @@ package infra
 
 import (
 	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
 	"encoding/json"
+	"encoding/pem"
 	"fmt"
+	"math/big"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -357,7 +364,9 @@ func (m *Manager) SetNginxRealtimeCaptureWithStatus(enabled bool) (map[string]in
 
 	if enabled {
 		// Write nginx.conf with Lua support
-		nginxConf, err := templates.GetNginxConfig(true)
+		nginxConf, err := templates.GetNginxConfigWithData(true, templates.NginxConfigData{
+			RejectUnknownDomains: m.config.Nginx.RejectUnknownDomains,
+		})
 		if err != nil {
 			errors = append(errors, fmt.Sprintf("failed to get nginx lua config template: %v", err))
 		} else {
@@ -414,6 +423,19 @@ func (m *Manager) SetNginxRealtimeCaptureWithStatus(enabled bool) (map[string]in
 			}
 			result["conf_files_written"] = true
 		}
+
+		// Ensure ssl directory exists
+		sslDir := filepath.Join(nginxDir, "ssl")
+		if err := os.MkdirAll(sslDir, 0755); err != nil {
+			errors = append(errors, fmt.Sprintf("failed to create ssl directory: %v", err))
+		}
+
+		// Generate default SSL cert if rejecting unknown domains
+		if m.config.Nginx.RejectUnknownDomains {
+			if err := m.ensureDefaultSSLCert(nginxDir); err != nil {
+				errors = append(errors, fmt.Sprintf("failed to generate default SSL cert: %v", err))
+			}
+		}
 	} else {
 		// Delete nginx.conf - container will use default from image
 		if _, err := os.Stat(confPath); err == nil {
@@ -577,6 +599,77 @@ func (m *Manager) getNginxDir() string {
 	return filepath.Dir(configPath)
 }
 
+func (m *Manager) ensureDefaultSSLCert(nginxDir string) error {
+	sslDir := filepath.Join(nginxDir, "ssl")
+	if err := os.MkdirAll(sslDir, 0755); err != nil {
+		return fmt.Errorf("failed to create ssl directory: %w", err)
+	}
+
+	certPath := filepath.Join(sslDir, "default.crt")
+	keyPath := filepath.Join(sslDir, "default.key")
+
+	if _, err := os.Stat(certPath); err == nil {
+		if _, err := os.Stat(keyPath); err == nil {
+			return nil
+		}
+	}
+
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return fmt.Errorf("failed to generate private key: %w", err)
+	}
+
+	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
+	if err != nil {
+		return fmt.Errorf("failed to generate serial number: %w", err)
+	}
+
+	template := x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			Organization: []string{"FlatRun Default"},
+			CommonName:   "localhost",
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().AddDate(10, 0, 0),
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+
+	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
+	if err != nil {
+		return fmt.Errorf("failed to create certificate: %w", err)
+	}
+
+	certOut, err := os.Create(certPath)
+	if err != nil {
+		return fmt.Errorf("failed to create cert file: %w", err)
+	}
+	defer certOut.Close()
+
+	if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: certDER}); err != nil {
+		return fmt.Errorf("failed to write certificate: %w", err)
+	}
+
+	keyBytes, err := x509.MarshalECPrivateKey(priv)
+	if err != nil {
+		return fmt.Errorf("failed to marshal private key: %w", err)
+	}
+
+	keyOut, err := os.Create(keyPath)
+	if err != nil {
+		return fmt.Errorf("failed to create key file: %w", err)
+	}
+	defer keyOut.Close()
+
+	if err := pem.Encode(keyOut, &pem.Block{Type: "EC PRIVATE KEY", Bytes: keyBytes}); err != nil {
+		return fmt.Errorf("failed to write private key: %w", err)
+	}
+
+	return nil
+}
+
 // SecurityHealthCheck represents the result of a security setup health check
 type SecurityHealthCheck struct {
 	Status          string                 `json:"status"`
@@ -1049,6 +1142,7 @@ func (m *Manager) checkNginxInternalAPIReachable() bool {
 var securityVolumeMounts = []string{
 	"./nginx.conf:/usr/local/openresty/nginx/conf/nginx.conf:ro",
 	"./lua:/etc/nginx/lua:ro",
+	"./ssl:/etc/nginx/ssl:ro",
 }
 
 func (m *Manager) getNginxComposePath() string {
@@ -1215,8 +1309,21 @@ func (m *Manager) RefreshSecurityScripts() (*RefreshSecurityScriptsResult, error
 		result.Errors = append(result.Errors, fmt.Sprintf("failed to create conf.d directory: %v", err))
 	}
 
+	sslDir := filepath.Join(nginxDir, "ssl")
+	if err := os.MkdirAll(sslDir, 0755); err != nil {
+		result.Errors = append(result.Errors, fmt.Sprintf("failed to create ssl directory: %v", err))
+	}
+
+	if m.config.Nginx.RejectUnknownDomains {
+		if err := m.ensureDefaultSSLCert(nginxDir); err != nil {
+			result.Errors = append(result.Errors, fmt.Sprintf("failed to generate default SSL cert: %v", err))
+		}
+	}
+
 	// Write nginx.conf with Lua support
-	nginxConf, err := templates.GetNginxConfig(true)
+	nginxConf, err := templates.GetNginxConfigWithData(true, templates.NginxConfigData{
+		RejectUnknownDomains: m.config.Nginx.RejectUnknownDomains,
+	})
 	if err != nil {
 		result.Errors = append(result.Errors, fmt.Sprintf("failed to get nginx lua config template: %v", err))
 	} else {