feat(security): Add token-authenticated internal endpoint for nginx

Add secure internal endpoint for nginx to fetch blocked IPs without
requiring user authentication credentials.

- Add InternalAPIToken to SecurityConfig, auto-generated if empty
- Create /_internal/blocked-ips endpoint with X-Internal-Token validation
- Update Lua templates to include token in requests
- Inject token into security.lua during template generation

Signed-off-by: nfebe <fenn25.fn@gmail.com>

Author: nfebe

internal/api/security_handlers.go

@@ -194,6 +194,19 @@ func (s *Server) listBlockedIPs(c *gin.Context) {
 	c.JSON(http.StatusOK, gin.H{"blocked_ips": ips})
 }
 
+// listBlockedIPsInternal returns blocked IPs for internal nginx communication
+func (s *Server) listBlockedIPsInternal(c *gin.Context) {
+	token := c.GetHeader("X-Internal-Token")
+	expectedToken := s.config.Security.InternalAPIToken
+
+	if token == "" || token != expectedToken {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid internal token"})
+		return
+	}
+
+	s.listBlockedIPs(c)
+}
+
 // blockIP blocks an IP address
 func (s *Server) blockIP(c *gin.Context) {
 	if s.securityManager == nil {

internal/api/server.go

@@ -276,6 +276,7 @@ func (s *Server) setupRoutes() {
 			protected.GET("/security/events", s.listSecurityEvents)
 			protected.GET("/security/events/:id", s.getSecurityEvent)
 			protected.POST("/security/cleanup", s.cleanupSecurityEvents)
+			protected.GET("/security/blocked-ips", s.listBlockedIPs)
 			protected.POST("/security/blocked-ips", s.blockIP)
 			protected.DELETE("/security/blocked-ips/:ip", s.unblockIP)
 			protected.GET("/security/ips/:ip/events", s.getEventsByIP)
@@ -301,7 +302,9 @@ func (s *Server) setupRoutes() {
 		// Ingest endpoints (no auth - called by nginx Lua)
 		api.POST("/security/events/ingest", s.ingestSecurityEvent)
 		api.POST("/traffic/ingest", s.ingestTrafficLog)
-		api.GET("/security/blocked-ips", s.listBlockedIPs)
+
+		// Internal nginx endpoint - token-authenticated for blocked IPs
+		api.GET("/_internal/blocked-ips", s.listBlockedIPsInternal)
 	}
 }
 

internal/infra/manager.go

@@ -377,7 +377,7 @@ func (m *Manager) SetNginxRealtimeCaptureWithStatus(enabled bool) (map[string]in
 			result["agent_ip"] = agentIP
 			result["agent_port"] = agentPort
 
-			securityLua, err := templates.GetNginxSecurityLuaWithConfig(agentIP, agentPort)
+			securityLua, err := templates.GetNginxSecurityLuaWithConfig(agentIP, agentPort, m.config.Security.InternalAPIToken)
 			if err != nil {
 				errors = append(errors, fmt.Sprintf("failed to get security.lua template: %v", err))
 			} else {
@@ -1228,7 +1228,7 @@ func (m *Manager) RefreshSecurityScripts() (*RefreshSecurityScriptsResult, error
 	}
 
 	// Generate and write security.lua with injected IP
-	securityLua, err := templates.GetNginxSecurityLuaWithConfig(agentIP, agentPort)
+	securityLua, err := templates.GetNginxSecurityLuaWithConfig(agentIP, agentPort, m.config.Security.InternalAPIToken)
 	if err != nil {
 		result.Errors = append(result.Errors, fmt.Sprintf("failed to generate security.lua: %v", err))
 		result.Success = false

pkg/config/config.go

@@ -1,6 +1,8 @@
 package config
 
 import (
+	"crypto/rand"
+	"encoding/hex"
 	"os"
 	"time"
 
@@ -126,6 +128,9 @@ type SecurityConfig struct {
 	AuthFailureThreshold  int           `yaml:"auth_failure_threshold" json:"auth_failure_threshold"`
 	UniquePathsThreshold  int           `yaml:"unique_paths_threshold" json:"unique_paths_threshold"`
 	RepeatedHitsThreshold int           `yaml:"repeated_hits_threshold" json:"repeated_hits_threshold"`
+
+	// Internal API token for nginx-to-agent communication (auto-generated if empty)
+	InternalAPIToken string `yaml:"internal_api_token" json:"-"`
 }
 
 func FindConfigPath(providedPath string) string {
@@ -268,6 +273,12 @@ func setDefaults(cfg *Config) {
 	if cfg.Security.RepeatedHitsThreshold == 0 {
 		cfg.Security.RepeatedHitsThreshold = 30
 	}
+	if cfg.Security.InternalAPIToken == "" {
+		bytes := make([]byte, 32)
+		if _, err := rand.Read(bytes); err == nil {
+			cfg.Security.InternalAPIToken = hex.EncodeToString(bytes)
+		}
+	}
 }
 
 func Save(cfg *Config, path string) error {

templates/infra/nginx/lua/security.lua

@@ -9,6 +9,7 @@ local _M = {}
 -- Configuration (injected by agent during deployment)
 local AGENT_IP = "{{.AgentIP}}"
 local AGENT_PORT = {{.AgentPort}}
+local INTERNAL_TOKEN = "{{.InternalAPIToken}}"
 
 -- Blocked IPs cache settings
 local BLOCKED_IPS_CACHE_TTL = 30  -- seconds
@@ -110,9 +111,10 @@ function _M.refresh_blocked_ips()
 
     local res, req_err = httpc:request({
         method = "GET",
-        path = "/api/security/blocked-ips",
+        path = "/api/_internal/blocked-ips",
         headers = {
             ["Host"] = AGENT_IP .. ":" .. AGENT_PORT,
+            ["X-Internal-Token"] = INTERNAL_TOKEN,
         }
     })
 

templates/templates.go

@@ -92,12 +92,13 @@ func GetNginxSecurityLua() ([]byte, error) {
 
 // LuaTemplateData contains the data for Lua template processing
 type LuaTemplateData struct {
-	AgentIP   string
-	AgentPort int
+	AgentIP          string
+	AgentPort        int
+	InternalAPIToken string
 }
 
 // GetNginxSecurityLuaWithConfig returns the security.lua template processed with agent config
-func GetNginxSecurityLuaWithConfig(agentIP string, agentPort int) ([]byte, error) {
+func GetNginxSecurityLuaWithConfig(agentIP string, agentPort int, internalAPIToken string) ([]byte, error) {
 	content, err := FS.ReadFile("infra/nginx/lua/security.lua")
 	if err != nil {
 		return nil, err
@@ -110,8 +111,9 @@ func GetNginxSecurityLuaWithConfig(agentIP string, agentPort int) ([]byte, error
 
 	var buf bytes.Buffer
 	data := LuaTemplateData{
-		AgentIP:   agentIP,
-		AgentPort: agentPort,
+		AgentIP:          agentIP,
+		AgentPort:        agentPort,
+		InternalAPIToken: internalAPIToken,
 	}
 
 	if err := tmpl.Execute(&buf, data); err != nil {

test/e2e/nginx/lua/security.lua

@@ -10,6 +10,7 @@ local _M = {}
 
 -- Configuration via environment variable (test-specific)
 local AGENT_URL = os.getenv("FLATRUN_AGENT_URL") or "http://host.docker.internal:8080"
+local INTERNAL_TOKEN = os.getenv("FLATRUN_INTERNAL_TOKEN") or ""
 
 -- Blocked IPs cache settings
 local BLOCKED_IPS_CACHE_TTL = 30  -- seconds
@@ -47,8 +48,11 @@ function _M.refresh_blocked_ips()
     local httpc = http.new()
     httpc:set_timeout(3000)
 
-    local res, err = httpc:request_uri(AGENT_URL .. "/api/security/blocked-ips", {
+    local res, err = httpc:request_uri(AGENT_URL .. "/api/_internal/blocked-ips", {
         method = "GET",
+        headers = {
+            ["X-Internal-Token"] = INTERNAL_TOKEN,
+        },
     })
 
     if not res then