traefik/middlewares/ip_whitelister.go

package middlewares

import (
	"fmt"
	"net/http"

	"github.com/containous/traefik/log"
	"github.com/containous/traefik/middlewares/tracing"
	"github.com/containous/traefik/whitelist"
	"github.com/pkg/errors"
	"github.com/urfave/negroni"
)

// IPWhiteLister is a middleware that provides Checks of the Requesting IP against a set of Whitelists
type IPWhiteLister struct {
	handler     negroni.Handler
	whiteLister *whitelist.IP
}

// NewIPWhiteLister builds a new IPWhiteLister given a list of CIDR-Strings to whitelist
func NewIPWhiteLister(whiteList []string, useXForwardedFor bool) (*IPWhiteLister, error) {
	if len(whiteList) == 0 {
		return nil, errors.New("no white list provided")
	}

	whiteLister := IPWhiteLister{}

	ip, err := whitelist.NewIP(whiteList, false, useXForwardedFor)
	if err != nil {
		return nil, fmt.Errorf("parsing CIDR whitelist %s: %v", whiteList, err)
	}
	whiteLister.whiteLister = ip

	whiteLister.handler = negroni.HandlerFunc(whiteLister.handle)
	log.Debugf("configured IP white list: %s", whiteList)

	return &whiteLister, nil
}

func (wl *IPWhiteLister) handle(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
	allowed, ip, err := wl.whiteLister.IsAuthorized(r)
	if err != nil {
		tracing.SetErrorAndDebugLog(r, "request %+v matched none of the white list - rejecting", r)
		reject(w)
		return
	}

	if allowed {
		tracing.SetErrorAndDebugLog(r, "request %+v matched white list %s - passing", r, wl.whiteLister)
		next.ServeHTTP(w, r)
		return
	}

	tracing.SetErrorAndDebugLog(r, "source-IP %s matched none of the white list - rejecting", ip)
	reject(w)
}

func (wl *IPWhiteLister) ServeHTTP(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
	wl.handler.ServeHTTP(rw, r, next)
}

func reject(w http.ResponseWriter) {
	statusCode := http.StatusForbidden

	w.WriteHeader(statusCode)
	w.Write([]byte(http.StatusText(statusCode)))
}
IP Whitelists for Frontend (with Docker- & Kubernetes-Provider Support) 2017-04-30 09:22:07 +00:00			`package middlewares`

			`import (`
			`"fmt"`
			`"net/http"`

			`"github.com/containous/traefik/log"`
Opentracing support 2018-01-10 16:48:04 +00:00			`"github.com/containous/traefik/middlewares/tracing"`
Add trusted whitelist proxy protocol 2017-10-10 12:50:03 +00:00			`"github.com/containous/traefik/whitelist"`
refactor: Logs & errors review. - log & error: remove format if not necessary, add if necessary. - add constants for k8s annotations. - fix typos 2017-05-26 15:03:14 +00:00			`"github.com/pkg/errors"`
refactor: migration Negroni from codegangsta to urfave 2017-07-19 10:02:51 +00:00			`"github.com/urfave/negroni"`
IP Whitelists for Frontend (with Docker- & Kubernetes-Provider Support) 2017-04-30 09:22:07 +00:00			`)`

Add trusted whitelist proxy protocol 2017-10-10 12:50:03 +00:00			`// IPWhiteLister is a middleware that provides Checks of the Requesting IP against a set of Whitelists`
			`type IPWhiteLister struct {`
			`handler negroni.Handler`
			`whiteLister *whitelist.IP`
IP Whitelists for Frontend (with Docker- & Kubernetes-Provider Support) 2017-04-30 09:22:07 +00:00			`}`

Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 16:40:04 +00:00			`// NewIPWhiteLister builds a new IPWhiteLister given a list of CIDR-Strings to whitelist`
			`func NewIPWhiteLister(whiteList []string, useXForwardedFor bool) (*IPWhiteLister, error) {`
			`if len(whiteList) == 0 {`
			`return nil, errors.New("no white list provided")`
IP Whitelists for Frontend (with Docker- & Kubernetes-Provider Support) 2017-04-30 09:22:07 +00:00			`}`

Add trusted whitelist proxy protocol 2017-10-10 12:50:03 +00:00			`whiteLister := IPWhiteLister{}`
Enhance integration tests * refactor: remove unused code. * refactor: factorize Traefik cmd start. * refactor(whitelist): minor change. * refactor(accesslog): better use of checker. * refactor(errorpages): factorize containers IP variables. * refactor(integration): refactor cmdTraefikWithConfigFile. 2017-07-10 12:58:31 +00:00
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 16:40:04 +00:00			`ip, err := whitelist.NewIP(whiteList, false, useXForwardedFor)`
Add trusted whitelist proxy protocol 2017-10-10 12:50:03 +00:00			`if err != nil {`
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 16:40:04 +00:00			`return nil, fmt.Errorf("parsing CIDR whitelist %s: %v", whiteList, err)`
IP Whitelists for Frontend (with Docker- & Kubernetes-Provider Support) 2017-04-30 09:22:07 +00:00			`}`
Add trusted whitelist proxy protocol 2017-10-10 12:50:03 +00:00			`whiteLister.whiteLister = ip`
IP Whitelists for Frontend (with Docker- & Kubernetes-Provider Support) 2017-04-30 09:22:07 +00:00
Add trusted whitelist proxy protocol 2017-10-10 12:50:03 +00:00			`whiteLister.handler = negroni.HandlerFunc(whiteLister.handle)`
Add tests on IPWhiteLister. 2018-04-03 16:36:03 +00:00			`log.Debugf("configured IP white list: %s", whiteList)`
IP Whitelists for Frontend (with Docker- & Kubernetes-Provider Support) 2017-04-30 09:22:07 +00:00
Add trusted whitelist proxy protocol 2017-10-10 12:50:03 +00:00			`return &whiteLister, nil`
IP Whitelists for Frontend (with Docker- & Kubernetes-Provider Support) 2017-04-30 09:22:07 +00:00			`}`

Add trusted whitelist proxy protocol 2017-10-10 12:50:03 +00:00			`func (wl IPWhiteLister) handle(w http.ResponseWriter, r http.Request, next http.HandlerFunc) {`
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 16:40:04 +00:00			`allowed, ip, err := wl.whiteLister.IsAuthorized(r)`
Add trusted whitelist proxy protocol 2017-10-10 12:50:03 +00:00			`if err != nil {`
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 16:40:04 +00:00			`tracing.SetErrorAndDebugLog(r, "request %+v matched none of the white list - rejecting", r)`
Add trusted whitelist proxy protocol 2017-10-10 12:50:03 +00:00			`reject(w)`
			`return`
IP Whitelists for Frontend (with Docker- & Kubernetes-Provider Support) 2017-04-30 09:22:07 +00:00			`}`

Add trusted whitelist proxy protocol 2017-10-10 12:50:03 +00:00			`if allowed {`
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 16:40:04 +00:00			`tracing.SetErrorAndDebugLog(r, "request %+v matched white list %s - passing", r, wl.whiteLister)`
Add trusted whitelist proxy protocol 2017-10-10 12:50:03 +00:00			`next.ServeHTTP(w, r)`
			`return`
			`}`

Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 16:40:04 +00:00			`tracing.SetErrorAndDebugLog(r, "source-IP %s matched none of the white list - rejecting", ip)`
IP Whitelists for Frontend (with Docker- & Kubernetes-Provider Support) 2017-04-30 09:22:07 +00:00			`reject(w)`
			`}`

Add trusted whitelist proxy protocol 2017-10-10 12:50:03 +00:00			`func (wl IPWhiteLister) ServeHTTP(rw http.ResponseWriter, r http.Request, next http.HandlerFunc) {`
			`wl.handler.ServeHTTP(rw, r, next)`
			`}`

IP Whitelists for Frontend (with Docker- & Kubernetes-Provider Support) 2017-04-30 09:22:07 +00:00			`func reject(w http.ResponseWriter) {`
			`statusCode := http.StatusForbidden`

			`w.WriteHeader(statusCode)`
			`w.Write([]byte(http.StatusText(statusCode)))`
			`}`