| Tip of the day: Log files can use JSON logging. You can also send the JSON data to IRCOps on IRC. The JSON is machine readable and contains lots of details about every log event. |
Rpc-user block
Jump to navigation
Jump to search
Via the rpc-user block you tell who is authorized to use JSON-RPC. This is not meant to allow end-users (real people) direct API access, but to allow software like the webpanel.
Syntax
rpc-user <name> {
match <mask>;
password <password>;
rpc-class <rpcclass>;
}
Every RPC user authenticates with a name and password:
- name: the name of the rpc-user block designates the username used for JSON-RPC logins
- password: this is the password, it can be an hashed instead of using plaintext.
- rpc-class: defines which methods can be called, this refers to an Rpc-class block. Only in UnrealIRCd 6.1.7 and later!
You can use one of the build-in ones:full: access to all JSON-RPC Methodsreadonly: only access to like user.list, channel.list, server_ban.list, but not changing things like user.set_nick or server_ban.add.
Every block also has a match which is a Mask item. It is highly recommended to use strict filter on IP addresses, because:
- API access is very powerful: you can grab a lot of (sensitive) information very fast, and also change and set things, wreak havoc very fast, when abused.
- The UnrealIRCd webserver and JSON-RPC functionality is quite new. When a connection is made on the RPC server port, we first check if any of the rpc-user::match match. If not, we immediately reject the connection without even reading or parsing the request. Thus, with a strict rpc-user::match you limit the attack surface of all the JSON-RPC components a lot.
Example
rpc-user apiuser {
match { ip 127.0.0.1; }
password "test";
}