IPStrategy for selecting IP in whitelist

2018-08-24 16:20:03 +02:00 · 2018-08-24 16:20:03 +02:00 · 00728e711c
commit 00728e711c
parent 1ec4e03738
65 changed files with 2444 additions and 1837 deletions
--- a/configuration/entrypoints.go
+++ b/configuration/entrypoints.go
@ -2,6 +2,7 @@ package configuration

 import (
 	"fmt"
+	"strconv"
 	"strings"

 	"github.com/containous/traefik/log"
@ -11,20 +12,19 @@ import (

 // EntryPoint holds an entry point configuration of the reverse proxy (ip, port, TLS...)
 type EntryPoint struct {
-	Address              string
-	TLS                  *tls.TLS          `export:"true"`
-	Redirect             *types.Redirect   `export:"true"`
-	Auth                 *types.Auth       `export:"true"`
-	WhitelistSourceRange []string          // Deprecated
-	WhiteList            *types.WhiteList  `export:"true"`
-	Compress             *Compress         `export:"true"`
-	ProxyProtocol        *ProxyProtocol    `export:"true"`
-	ForwardedHeaders     *ForwardedHeaders `export:"true"`
+	Address          string
+	TLS              *tls.TLS          `export:"true"`
+	Redirect         *types.Redirect   `export:"true"`
+	Auth             *types.Auth       `export:"true"`
+	WhiteList        *types.WhiteList  `export:"true"`
+	Compress         *Compress         `export:"true"`
+	ProxyProtocol    *ProxyProtocol    `export:"true"`
+	ForwardedHeaders *ForwardedHeaders `export:"true"`
+	ClientIPStrategy *types.IPStrategy `export:"true"`
 }

 // Compress contains compress configuration
-type Compress struct {
-}
+type Compress struct{}

 // ProxyProtocol contains Proxy-Protocol configuration
 type ProxyProtocol struct {
@ -68,11 +68,6 @@ func (ep *EntryPoints) Type() string {
 func (ep *EntryPoints) Set(value string) error {
 	result := parseEntryPointsConfiguration(value)

-	var whiteListSourceRange []string
-	if len(result["whitelistsourcerange"]) > 0 {
-		whiteListSourceRange = strings.Split(result["whitelistsourcerange"], ",")
-	}
-
 	var compress *Compress
 	if len(result["compress"]) > 0 {
 		compress = &Compress{}
@ -84,29 +79,42 @@ func (ep *EntryPoints) Set(value string) error {
 	}

 	(*ep)[result["name"]] = &EntryPoint{
-		Address:              result["address"],
-		TLS:                  configTLS,
-		Auth:                 makeEntryPointAuth(result),
-		Redirect:             makeEntryPointRedirect(result),
-		Compress:             compress,
-		WhitelistSourceRange: whiteListSourceRange,
-		WhiteList:            makeWhiteList(result),
-		ProxyProtocol:        makeEntryPointProxyProtocol(result),
-		ForwardedHeaders:     makeEntryPointForwardedHeaders(result),
+		Address:          result["address"],
+		TLS:              configTLS,
+		Auth:             makeEntryPointAuth(result),
+		Redirect:         makeEntryPointRedirect(result),
+		Compress:         compress,
+		WhiteList:        makeWhiteList(result),
+		ProxyProtocol:    makeEntryPointProxyProtocol(result),
+		ForwardedHeaders: makeEntryPointForwardedHeaders(result),
+		ClientIPStrategy: makeIPStrategy("clientipstrategy", result),
 	}

 	return nil
 }

 func makeWhiteList(result map[string]string) *types.WhiteList {
-	var wl *types.WhiteList
 	if rawRange, ok := result["whitelist_sourcerange"]; ok {
-		wl = &types.WhiteList{
-			SourceRange:      strings.Split(rawRange, ","),
-			UseXForwardedFor: toBool(result, "whitelist_usexforwardedfor"),
+		return &types.WhiteList{
+			SourceRange: strings.Split(rawRange, ","),
+			IPStrategy:  makeIPStrategy("whitelist_ipstrategy", result),
 		}
 	}
-	return wl
+	return nil
+}
+
+func makeIPStrategy(prefix string, result map[string]string) *types.IPStrategy {
+	depth := toInt(result, prefix+"_depth")
+	excludedIPs := result[prefix+"_excludedips"]
+
+	if depth == 0 && len(excludedIPs) == 0 {
+		return nil
+	}
+
+	return &types.IPStrategy{
+		Depth:       depth,
+		ExcludedIPs: strings.Split(excludedIPs, ","),
+	}
 }

 func makeEntryPointAuth(result map[string]string) *types.Auth {
@ -184,15 +192,14 @@ func makeEntryPointProxyProtocol(result map[string]string) *ProxyProtocol {
 	}

 	if proxyProtocol != nil && proxyProtocol.Insecure {
-		log.Warn("ProxyProtocol.Insecure:true is dangerous. Please use 'ProxyProtocol.TrustedIPs:IPs' and remove 'ProxyProtocol.Insecure:true'")
+		log.Warn("ProxyProtocol.insecure:true is dangerous. Please use 'ProxyProtocol.TrustedIPs:IPs' and remove 'ProxyProtocol.insecure:true'")
 	}

 	return proxyProtocol
 }

 func makeEntryPointForwardedHeaders(result map[string]string) *ForwardedHeaders {
-	// TODO must be changed to false by default in the next breaking version.
-	forwardedHeaders := &ForwardedHeaders{Insecure: true}
+	forwardedHeaders := &ForwardedHeaders{}
 	if _, ok := result["forwardedheaders_insecure"]; ok {
 		forwardedHeaders.Insecure = toBool(result, "forwardedheaders_insecure")
 	}
@ -300,3 +307,14 @@ func toBool(conf map[string]string, key string) bool {
 	}
 	return false
 }
+
+func toInt(conf map[string]string, key string) int {
+	if val, ok := conf[key]; ok {
+		intVal, err := strconv.Atoi(val)
+		if err != nil {
+			return 0
+		}
+		return intVal
+	}
+	return 0
+}