Tip of the day: If you still have users on plaintext port 6667, consider enabling Strict Transport Security to gently move users to SSL/TLS on port 6697.

Rpc-user block

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

Via the rpc-user block you tell who is authorized to use JSON-RPC. This is not meant to allow end-users (real people) direct API access, but to allow software like the webpanel.


rpc-user <name> {
    match <mask>;
    password <password>;

Every RPC user authenticates with a name and password:

  • name: the name of the rpc-user block designates the username used for JSON-RPC logins
  • password: this is the password, it can be an hashed instead of using plaintext.

Every block also has a match which is a Mask item. It is highly recommended to use strict filter on IP addresses, because:

  • API access is very powerful: you can grab a lot of (sensitive) information very fast, and also change and set things, wreak havoc very fast, when abused.
  • The UnrealIRCd webserver and JSON-RPC functionality is quite new. When a connection is made on the RPC server port, we first check if any of the rpc-user::match match. If not, we immediately reject the connection without even reading or parsing the request. Thus, with a strict rpc-user::match you limit the attack surface of all the JSON-RPC components a lot.


rpc-user apiuser {
    match { ip; }
    password "test";