2022-07-20 15:13:36 +02:00
\section { API}
\subsection { REST Endpoints} \label { api}
2022-07-19 11:51:23 +02:00
2022-07-20 14:57:17 +02:00
Managing the firewall rules can be done over a REST API\footnote { \href { https://www.ibm.com/cloud/learn/rest-apis} { What is a REST API} } . Available routes are following and can be retrieved by visiting the API (e.g. \verb |https://10.93.0.224:8080/api|) of the device.
2022-07-19 11:51:23 +02:00
\lstset { style=json}
\begin { lstlisting}
[
{
2022-07-27 11:58:32 +02:00
"endpoint": "http://10.93.0.246:8080/api/firewall/rules",
2022-07-19 11:51:23 +02:00
"description": "Get all Firewall Rules",
"method": "GET"
} ,
{
2022-07-27 11:58:32 +02:00
"endpoint": "http://10.93.0.246:8080/api/firewall/rules/<key>",
2022-07-19 11:51:23 +02:00
"description": "Get Firewall Rule by key",
"method": "GET"
} ,
{
2022-07-27 11:58:32 +02:00
"endpoint": "http://10.93.0.246:8080/api/firewall/rules",
2022-07-19 11:51:23 +02:00
"description": "Create Firewall Rule",
"method": "POST"
} ,
{
2022-07-27 11:58:32 +02:00
"endpoint": "http://10.93.0.246:8080/api/firewall/rules/<key>",
"description": "Update Firewall Rule by key",
"method": "PUT"
} ,
{
"endpoint": "http://10.93.0.246:8080/api/firewall/rules/<key>",
2022-07-19 11:51:23 +02:00
"description": "Delete Firewall Rule by key",
"method": "DELETE"
}
]
\end { lstlisting}
2022-07-27 12:32:17 +02:00
Available protocols are \verb |TCP, UDP & ALL|
Available targets are \verb |ACCEPT & DROP|
2022-07-19 11:51:23 +02:00
2022-07-27 12:32:17 +02:00
\newpage
2022-07-19 11:51:23 +02:00
2022-07-27 12:32:17 +02:00
\subsection { Get rules}
2022-07-19 11:51:23 +02:00
2022-07-27 12:32:17 +02:00
\begin { verbatim}
curl -u username:password http://10.93.0.246:8080/api/firewall/rules
\end { verbatim}
2022-07-19 11:51:23 +02:00
\lstset { style=json}
\begin { lstlisting}
2022-07-27 12:32:17 +02:00
// HTTP/1.1 200 OK
// Content-Type: application/json; charset=utf-8
// Content-Length: 109
[
{
"key": "1",
"ip": "10.93.0.211",
"port_ from": "8080",
"port_ to": "8080",
"protocol": "TCP",
"target": "ACCEPT"
}
]
2022-07-19 11:51:23 +02:00
\end { lstlisting}
2022-07-27 12:32:17 +02:00
\subsection { Get rule}
2022-07-19 11:51:23 +02:00
2022-07-27 12:32:17 +02:00
\begin { verbatim}
curl -u username:password http://10.93.0.246:8080/api/firewall/rules/1
\end { verbatim}
2022-07-19 11:51:23 +02:00
2022-07-27 12:32:17 +02:00
\lstset { style=json}
\begin { lstlisting}
// HTTP/1.1 200 OK
// Content-Type: application/json; charset=utf-8
// Content-Length: 107
{
"key": "1",
"ip": "10.93.0.211",
"port_ from": "8080",
"port_ to": "8080",
"protocol": "TCP",
"target": "ACCEPT"
}
\end { lstlisting}
\subsection { Create rule}
\begin { verbatim}
curl -X POST -u username:password \
http://10.93.0.246:8080/api/firewall/rules
?ip=10.93.0.200& port_ from=10& port_ to=50& protocol=UDP& target=ACCEPT
\end { verbatim}
\lstset { style=json}
\begin { lstlisting}
// HTTP/1.1 201 Created
// Content-Type: application/json; charset=utf-8
// Content-Length: 104
{
"key": "2",
"ip": "10.93.0.200",
"port_ from": "10",
"port_ to": "50",
"protocol": "UDP",
"target": "ACCEPT"
}
\end { lstlisting}
\subsection { Update rule}
\begin { verbatim}
curl -X PUT -u username:password \
http://10.93.0.246:8080/api/firewall/rules/2
?ip=10.93.0.100& port_ from=20& port_ to=100& protocol=ALL& target=DROP
\end { verbatim}
\lstset { style=json}
\begin { lstlisting}
// HTTP/1.1 200 OK
// Content-Type: application/json; charset=utf-8
// Content-Length: 103
{
"key": "2",
"ip": "10.93.0.100",
"port_ from": "20",
"port_ to": "100",
"protocol": "ALL",
"target": "DROP"
}
\end { lstlisting}
\subsection { Delete rule}
\begin { verbatim}
curl -X DELETE -u username:password \
http://10.93.0.246:8080/api/firewall/rules/2
\end { verbatim}
\lstset { style=json}
\begin { lstlisting}
// HTTP/1.1 200 OK
// Content-Type: application/json; charset=utf-8
// Content-Length: 36
{
"message": "firewall rule deleted"
}
\end { lstlisting}
2022-07-19 11:51:23 +02:00
2022-07-20 15:13:36 +02:00
\subsection { HTTPS} \label { https}
2022-07-27 12:32:17 +02:00
To connect to the ESP over HTTPS (Hypertext Transfer Protocol Secure) the Webserver can be setup to use certificates that need to be included in the constructor as seen in section \ref { authentication} . This only works for the esp8266 with the Arduino library but can be added as an external library (\verb |esp32_ https_ server_ combat|\footnote { \href { https://github.com/fhessel/esp32_ https_ server_ compat} { https://github.com/fhessel/esp32\_ https\_ server\_ compat} } ) for the esp32 if needed.
\newpage
2022-07-20 15:13:36 +02:00
\subsection { Authentication} \label { authentication}
2022-07-19 11:51:23 +02:00
2022-07-27 12:32:17 +02:00
To authenticate the API uses basic auth. Communication should therefore be encrypted to protect the process from eavesdropping. Another solution would be to setup the rules in a private network and setup the esp without the API enabled. Therefore the rules will still apply, but cannot be changed over the network. Example certificates for the esp8266 are included in the repository and encryption can be added to the esp32 as described in section \ref { https} . Setting the username and password is done via the constructor of the api class. To create the api class to setup the firewall rules a firewall class instance is needed.
2022-07-19 11:51:23 +02:00
\lstset { style=c++}
\begin { lstlisting}
#include "Firewall.hpp"
#include "API.hpp"
firewall = new fw::Firewall();
firewallApi = new fw::API(firewall, cert, key, username, password);
\end { lstlisting}
After this all endpoints shown in section \ref { api} will be protected.
