Event based executing a script

skipcube · September 18, 2015, 5:49am

Hello all,
My ultimate goal is to run a script based on an event or notice from external website via API or SSH. The problem is external website is not to be trusted so we can’t give that user which the website uses write/change config permissions. So we want to use the external website to simply execute a script – but without only execute permissions, this concept is like how PHP scripts execute when a user visits a page.

Can this be done?

Thanks,

JJCinAZ · September 22, 2015, 5:17pm

You could allow them to send an SNMP command to your router which can run a script, but they can run any script on the router. The proper way to do this is to setup some sort of REST API server which they call to and that API server connects to the router to accomplish the command(s). This way, you have complete control over authentication and permissions. Such a server needs to run on an external box/VM.

skipcube · September 23, 2015, 5:39am

Thanks JJCinAZ. This is certainly a possibility. I’ll look further into it.

Still wondering if anyone know of other ways. RouterOS is a complex feature filled software.

boen_robot · February 2, 2016, 5:43pm

You know, I was recently thinking… and I might end up eventually implementing something like this myself (but no promises; Feel free to beat me to it…)

It’s possible to setup a “proxy” server for the API protocol itself (“API proxy”), which would in turn filter out any forbidden requests, thus giving you fine grained control over what an API client can or can’t do with the router.

It’s a similar idea to the aforementioned REST API, in that it requires you to have a separate OS that the router trusts. The router would only allow connections from said server (and perhaps other fully trusted parties), while untrusted/semi-trusted parties would connect to the server instead of to the router.

The difference is that you don’t need two separate sorts of clients and handlings - just one (the RouterOS API).

The API proxy may sit on the same physical device, as long as there’s enough RAM to hold in a small KVM/MetaRouter VM instance with a bare OS and sufficient tooling to run the API proxy program. In that setup, the real router’s API protocol can be dst-nat-ed to the VM for a seemingly transparent experience.