IPStrategy for selecting IP in whitelist

configuration/entrypoints_test.go

@@ -45,9 +45,11 @@ func Test_parseEntryPointsConfiguration(t *testing.T) {
 				"Auth.Forward.TLS.Cert:path/to/foo.cert " +
 				"Auth.Forward.TLS.Key:path/to/foo.key " +
 				"Auth.Forward.TLS.InsecureSkipVerify:true " +
-				"WhiteListSourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
-				"whiteList.sourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
-				"whiteList.useXForwardedFor:true ",
+				"WhiteList.SourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
+				"WhiteList.IPStrategy.depth:3 " +
+				"WhiteList.IPStrategy.ExcludedIPs:10.0.0.3/24,20.0.0.3/24 " +
+				"ClientIPStrategy.depth:3 " +
+				"ClientIPStrategy.ExcludedIPs:10.0.0.3/24,20.0.0.3/24 ",
 			expectedResult: map[string]string{
 				"address":                             ":8000",
 				"auth_basic_users":                    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
@@ -73,13 +75,15 @@ func Test_parseEntryPointsConfiguration(t *testing.T) {
 				"redirect_permanent":       "true",
 				"redirect_regex":           "http://localhost/(.*)",
 				"redirect_replacement":     "http://mydomain/$1",
-				"tls":                        "goo,gii",
-				"tls_acme":                   "TLS",
-				"tls_ciphersuites":           "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
-				"tls_minversion":             "VersionTLS11",
-				"whitelistsourcerange":       "10.42.0.0/16,152.89.1.33/32,afed:be44::/16",
-				"whitelist_sourcerange":      "10.42.0.0/16,152.89.1.33/32,afed:be44::/16",
-				"whitelist_usexforwardedfor": "true",
+				"tls":                              "goo,gii",
+				"tls_acme":                         "TLS",
+				"tls_ciphersuites":                 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+				"tls_minversion":                   "VersionTLS11",
+				"whitelist_sourcerange":            "10.42.0.0/16,152.89.1.33/32,afed:be44::/16",
+				"whitelist_ipstrategy_depth":       "3",
+				"whitelist_ipstrategy_excludedips": "10.0.0.3/24,20.0.0.3/24",
+				"clientipstrategy_depth":           "3",
+				"clientipstrategy_excludedips":     "10.0.0.3/24,20.0.0.3/24",
 			},
 		},
 		{
@@ -206,9 +210,11 @@ func TestEntryPoints_Set(t *testing.T) {
 				"Auth.Forward.TLS.Cert:path/to/foo.cert " +
 				"Auth.Forward.TLS.Key:path/to/foo.key " +
 				"Auth.Forward.TLS.InsecureSkipVerify:true " +
-				"WhiteListSourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
-				"whiteList.sourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
-				"whiteList.useXForwardedFor:true ",
+				"WhiteList.SourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
+				"WhiteList.IPStrategy.depth:3 " +
+				"WhiteList.IPStrategy.ExcludedIPs:10.0.0.3/24,20.0.0.3/24 " +
+				"ClientIPStrategy.depth:3 " +
+				"ClientIPStrategy.ExcludedIPs:10.0.0.3/24,20.0.0.3/24 ",
 			expectedEntryPointName: "foo",
 			expectedEntryPoint: &EntryPoint{
 				Address: ":8000",
@@ -265,18 +271,19 @@ func TestEntryPoints_Set(t *testing.T) {
 					},
 					HeaderField: "X-WebAuth-User",
 				},
-				WhitelistSourceRange: []string{
-					"10.42.0.0/16",
-					"152.89.1.33/32",
-					"afed:be44::/16",
-				},
 				WhiteList: &types.WhiteList{
 					SourceRange: []string{
 						"10.42.0.0/16",
 						"152.89.1.33/32",
 						"afed:be44::/16",
 					},
-					UseXForwardedFor: true,
+					IPStrategy: &types.IPStrategy{
+						Depth: 3,
+						ExcludedIPs: []string{
+							"10.0.0.3/24",
+							"20.0.0.3/24",
+						},
+					},
 				},
 				Compress: &Compress{},
 				ProxyProtocol: &ProxyProtocol{
@@ -290,6 +297,13 @@ func TestEntryPoints_Set(t *testing.T) {
 						"20.0.0.3/24",
 					},
 				},
+				ClientIPStrategy: &types.IPStrategy{
+					Depth: 3,
+					ExcludedIPs: []string{
+						"10.0.0.3/24",
+						"20.0.0.3/24",
+					},
+				},
 			},
 		},
 		{
@@ -307,7 +321,7 @@ func TestEntryPoints_Set(t *testing.T) {
 				"redirect.replacement:http://mydomain/$1 " +
 				"redirect.permanent:true " +
 				"compress:true " +
-				"whiteListSourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
+				"whiteList.sourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
 				"proxyProtocol.TrustedIPs:192.168.0.1 " +
 				"forwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24 " +
 				"auth.basic.users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0 " +
@@ -375,10 +389,12 @@ func TestEntryPoints_Set(t *testing.T) {
 					},
 					HeaderField: "X-WebAuth-User",
 				},
-				WhitelistSourceRange: []string{
-					"10.42.0.0/16",
-					"152.89.1.33/32",
-					"afed:be44::/16",
+				WhiteList: &types.WhiteList{
+					SourceRange: []string{
+						"10.42.0.0/16",
+						"152.89.1.33/32",
+						"afed:be44::/16",
+					},
 				},
 				Compress: &Compress{},
 				ProxyProtocol: &ProxyProtocol{
@@ -399,12 +415,12 @@ func TestEntryPoints_Set(t *testing.T) {
 			expression:             "Name:foo",
 			expectedEntryPointName: "foo",
 			expectedEntryPoint: &EntryPoint{
-				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
+				ForwardedHeaders: &ForwardedHeaders{Insecure: false},
 			},
 		},
 		{
 			name:                   "ForwardedHeaders insecure true",
-			expression:             "Name:foo ForwardedHeaders.Insecure:true",
+			expression:             "Name:foo ForwardedHeaders.insecure:true",
 			expectedEntryPointName: "foo",
 			expectedEntryPoint: &EntryPoint{
 				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
@@ -412,7 +428,7 @@ func TestEntryPoints_Set(t *testing.T) {
 		},
 		{
 			name:                   "ForwardedHeaders insecure false",
-			expression:             "Name:foo ForwardedHeaders.Insecure:false",
+			expression:             "Name:foo ForwardedHeaders.insecure:false",
 			expectedEntryPointName: "foo",
 			expectedEntryPoint: &EntryPoint{
 				ForwardedHeaders: &ForwardedHeaders{Insecure: false},
@@ -430,19 +446,19 @@ func TestEntryPoints_Set(t *testing.T) {
 		},
 		{
 			name:                   "ProxyProtocol insecure true",
-			expression:             "Name:foo ProxyProtocol.Insecure:true",
+			expression:             "Name:foo ProxyProtocol.insecure:true",
 			expectedEntryPointName: "foo",
 			expectedEntryPoint: &EntryPoint{
-				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
+				ForwardedHeaders: &ForwardedHeaders{},
 				ProxyProtocol:    &ProxyProtocol{Insecure: true},
 			},
 		},
 		{
 			name:                   "ProxyProtocol insecure false",
-			expression:             "Name:foo ProxyProtocol.Insecure:false",
+			expression:             "Name:foo ProxyProtocol.insecure:false",
 			expectedEntryPointName: "foo",
 			expectedEntryPoint: &EntryPoint{
-				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
+				ForwardedHeaders: &ForwardedHeaders{},
 				ProxyProtocol:    &ProxyProtocol{},
 			},
 		},
@@ -451,7 +467,7 @@ func TestEntryPoints_Set(t *testing.T) {
 			expression:             "Name:foo ProxyProtocol.TrustedIPs:10.0.0.3/24,20.0.0.3/24",
 			expectedEntryPointName: "foo",
 			expectedEntryPoint: &EntryPoint{
-				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
+				ForwardedHeaders: &ForwardedHeaders{},
 				ProxyProtocol: &ProxyProtocol{
 					TrustedIPs: []string{"10.0.0.3/24", "20.0.0.3/24"},
 				},
@@ -463,7 +479,7 @@ func TestEntryPoints_Set(t *testing.T) {
 			expectedEntryPointName: "foo",
 			expectedEntryPoint: &EntryPoint{
 				Compress:         &Compress{},
-				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
+				ForwardedHeaders: &ForwardedHeaders{},
 			},
 		},
 		{
@@ -472,7 +488,7 @@ func TestEntryPoints_Set(t *testing.T) {
 			expectedEntryPointName: "foo",
 			expectedEntryPoint: &EntryPoint{
 				Compress:         &Compress{},
-				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
+				ForwardedHeaders: &ForwardedHeaders{},
 			},
 		},
 	}