Skip to content

[FilterByClientIpPlugin] Implement the whitelist logic #1127

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Apr 20, 2022
Merged

[FilterByClientIpPlugin] Implement the whitelist logic #1127

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2e66848
Implement the "whitelist" logic for the plugin "FilterByClientIpPlugin"
LetMeR00t Apr 20, 2022
e9ad841
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Apr 20, 2022
2ba5167
Merge branch 'develop' into develop
abhinavsingh Apr 20, 2022
3cf6a61
Fix lint errors for the plugin FilterByClientIpPlugin
LetMeR00t Apr 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2469,6 +2469,8 @@ options:
--filtered-upstream-hosts FILTERED_UPSTREAM_HOSTS
Default: Blocks Facebook. Comma separated list of IPv4
and IPv6 addresses.
--filtered-client-ips-mode FILTERED_CLIENT_IPS_MODE
Default: "blacklist". Can be either "whitelist" (restrict access to specific IPs) or "blacklist" (allow everything except specific IPs).
--filtered-client-ips FILTERED_CLIENT_IPS
Default: 127.0.0.1,::1. Comma separated list of IPv4
and IPv6 addresses.
Expand Down
28 changes: 22 additions & 6 deletions proxy/plugin/filter_by_client_ip.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,14 @@
from ..http.exception import HttpRequestRejected


flags.add_argument(
'--filtered-client-ips-mode',
type=str,
default='blacklist',
help='Default: blacklist. Can be either "whitelist" (restrict access to specific IPs)'
'or "blacklist" (allow everything except specific IPs).',
)

flags.add_argument(
'--filtered-client-ips',
type=str,
Expand All @@ -30,15 +38,23 @@


class FilterByClientIpPlugin(HttpProxyBasePlugin):
"""Drop traffic by inspecting incoming client IP address."""
"""Allow only (whitelist) or Drop only (blacklist) traffic by inspecting incoming client IP address."""

def before_upstream_connection(
self, request: HttpParser,
) -> Optional[HttpParser]:
assert not self.flags.unix_socket_path and self.client.addr
if self.client.addr[0] in self.flags.filtered_client_ips.split(','):
raise HttpRequestRejected(
status_code=httpStatusCodes.I_AM_A_TEAPOT,
reason=b'I\'m a tea pot',
)
assert self.flags.filtered_client_ips_mode in ('blacklist', 'whitelist')
if self.flags.filtered_client_ips_mode == 'blacklist':
if self.client.addr[0] in self.flags.filtered_client_ips.split(','):
raise HttpRequestRejected(
status_code=httpStatusCodes.I_AM_A_TEAPOT,
reason=b'I\'m a tea pot',
)
elif self.flags.filtered_client_ips_mode == 'whitelist':
if self.client.addr[0] not in self.flags.filtered_client_ips.split(','):
raise HttpRequestRejected(
status_code=httpStatusCodes.I_AM_A_TEAPOT,
reason=b'I\'m a tea pot',
)
return request