NethServer · DavidePrincipi · Mar 6, 2026 · Mar 3, 2026 · Mar 2, 2026 · Mar 3, 2026
diff --git a/AGENTS.md b/AGENTS.md
@@ -146,3 +146,5 @@ Robot Framework tests are in `core/tests/` with numbered directories
 - **Branch names**: never use "/" in branch names. Use only chars allowed
   by container registry tags, like "-" and alphanumeric chars. This is a
   requirement for container image uploads.
+- **Commits**: Use conventional commit style. Short title line, 50 chars max.
+  Wrap body text at 72.
diff --git a/core/agent/go.mod b/core/agent/go.mod
@@ -4,15 +4,13 @@ go 1.18
 
 require (
 	github.com/go-redis/redis/v8 v8.11.5
-	github.com/nqd/flat v0.2.0
 	github.com/xeipuuv/gojsonschema v1.2.0
 )
 
 require (
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
-	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/stretchr/testify v1.7.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect

diff --git a/core/agent/go.sum b/core/agent/go.sum
@@ -8,10 +8,6 @@ github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cu
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/go-redis/redis/v8 v8.11.5 h1:AcZZR7igkdvfVmQTPnu9WE37LRrO/YrBH5zWyjDC0oI=
 github.com/go-redis/redis/v8 v8.11.5/go.mod h1:gREzHqY1hg6oD9ngVRbLStwAWKhA0FEgq8Jd4h5lpwo=
-github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
-github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
-github.com/nqd/flat v0.2.0 h1:g6lXtMxsxrz6PZOO+rNnAJUn/GGRrK4FgVEhy/v+cHI=
-github.com/nqd/flat v0.2.0/go.mod h1:FOuslZmNY082wVfVUUb7qAGWKl8z8Nor9FMg+Xj2Nss=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
 github.com/onsi/gomega v1.18.1 h1:M1GfJqGRrBrrGGsbxzV5dqM2U2ApXefZCQpkukxYRLE=
@@ -32,7 +28,6 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+R
 golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
-gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ=

diff --git a/core/api-moduled/go.mod b/core/api-moduled/go.mod
@@ -17,8 +17,6 @@ require (
 require (
 	github.com/bytedance/sonic v1.13.2 // indirect
 	github.com/bytedance/sonic/loader v0.2.4 // indirect
-	github.com/chenzhuoyu/base64x v0.0.0-20230717121745-296ad89f973d // indirect
-	github.com/chenzhuoyu/iasm v0.9.1 // indirect
 	github.com/cloudwego/base64x v0.1.5 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.8 // indirect

diff --git a/core/api-moduled/go.sum b/core/api-moduled/go.sum
diff --git a/core/api-server/README.md b/core/api-server/README.md
@@ -47,6 +47,24 @@ LISTEN_ADDRESS=0.0.0.0:8080 REDIS_ADDRESS=127.0.0.1:6379 REDIS_USER=my-user REDI
 
 Each API is authenticated and authorized through a `JWT (JSON Web Token)`. In order to get access to the APIs you have to login before and get a JWT `token`. `SECRET` is used to set the JWT signature.
 
+### Network access restrictions
+
+The API server enforces source-IP restrictions at login and on every
+authenticated request:
+
+- **Agent credentials** (`cluster`, `node/*`, `module/*`): always
+  restricted to `127.0.0.1`, `::1`, and the cluster VPN network (Redis
+  key `cluster/network`). Login from any other IP returns HTTP 401;
+  requests with an agent-issued JWT from outside those networks return
+  HTTP 403. This is unconditional and cannot be overridden.
+
+- **User accounts** (e.g. `admin`): an optional `allowed_networks` field
+  can be set via `cluster/add-user` or `cluster/alter-user`. When
+  non-empty, logins and JWT requests from non-matching IPs are rejected
+  (401/403 respectively). An empty list means no IP restriction.
+
+#### Login API list
+
 -   `POST /login`
 
 ```bash

diff --git a/core/api-server/api-server.go b/core/api-server/api-server.go
@@ -76,6 +76,12 @@ func main() {
 		gin.Recovery(),
 	)
 
+	// Trust only the local Traefik instance as a reverse proxy.
+	// X-Forwarded-For is honoured only when the TCP connection originates
+	// from loopback; direct connections (e.g. cluster agents on the VPN)
+	// use the TCP peer address, preventing header-based IP spoofing.
+	router.SetTrustedProxies([]string{"127.0.0.1", "::1"})
+
 	// add default compression
 	router.Use(gzip.Gzip(gzip.DefaultCompression))