IPStrategy for selecting IP in whitelist

2018-08-24 16:20:03 +02:00 · 2018-08-24 16:20:03 +02:00 · 00728e711c
commit 00728e711c
parent 1ec4e03738
65 changed files with 2444 additions and 1837 deletions
--- a/docs/configuration/entrypoints.md
+++ b/docs/configuration/entrypoints.md
@ -14,11 +14,17 @@ defaultEntryPoints = ["http", "https"]
  [entryPoints.http]
    address = ":80"
    [entryPoints.http.compress]
+    
+    [entryPoints.http.clientIPStrategy]
+      depth = 5
+      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]

    [entryPoints.http.whitelist]
      sourceRange = ["10.42.0.0/16", "152.89.1.33/32", "afed:be44::/16"]
-      useXForwardedFor = true
-
+      [entryPoints.http.whitelist.IPStrategy]
+        depth = 5
+        excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
+          
    [entryPoints.http.tls]
      minVersion = "VersionTLS12"
      cipherSuites = [
@ -75,6 +81,7 @@ defaultEntryPoints = ["http", "https"]

    [entryPoints.http.forwardedHeaders]
      trustedIPs = ["10.10.10.1", "10.10.10.2"]
+      insecure = false

  [entryPoints.https]
    # ...
@ -129,7 +136,8 @@ Redirect.Replacement:http://mydomain/$1
 Redirect.Permanent:true
 Compress:true
 WhiteList.SourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16
-WhiteList.UseXForwardedFor:true
+WhiteList.IPStrategy.depth:3
+WhiteList.IPStrategy.ExcludedIPs:10.0.0.3/24,20.0.0.3/24
 ProxyProtocol.TrustedIPs:192.168.0.1
 ProxyProtocol.Insecure:true
 ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24
@ -464,7 +472,9 @@ Responses are compressed when:

 ## White Listing

-To enable IP white listing at the entry point level.
+Træfik supports whitelisting to accept or refuse requests based on the client IP.
+
+The following example enables IP white listing and accepts requests from client IPs defined in `sourceRange`.

 ```toml
 [entryPoints]
@ -473,9 +483,97 @@ To enable IP white listing at the entry point level.

    [entryPoints.http.whiteList]
      sourceRange = ["127.0.0.1/32", "192.168.1.7"]
-      # useXForwardedFor = true
+      # [entryPoints.http.whiteList.IPStrategy]
+      # Override the clientIPStrategy
 ```

+By default, Træfik uses the client IP (see [ClientIPStrategy](/configuration/entrypoints/#clientipstrategy)) for the whitelisting.
+
+If you want to use another IP than the one determined by `ClientIPStrategy` for the whitelisting, you can define the `IPStrategy` option:
+
+```toml
+[entryPoints]
+  [entryPoints.http.clientIPStrategy]
+    depth = 4
+  [entryPoints.http]
+    address = ":80"
+
+    [entryPoints.http.whiteList]
+      sourceRange = ["127.0.0.1/32", "192.168.1.7"]
+      [entryPoints.http.whiteList.IPStrategy]
+      depth = 2
+```
+
+In the above example, if the value of the `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the client IP would be `"10.0.0.1"` (`clientIPStrategy.depth=4`) but the IP used for the whitelisting would be `"12.0.0.1"` (`whitelist.IPStrategy.depth=2`).
+
+## ClientIPStrategy
+
+The `clientIPStrategy` defines how you want Træfik to determine the client IP (used for whitelisting for example).
+
+There are several option available:
+
+### Depth
+
+This option uses the `X-Forwarded-For` header and takes the IP located at the `depth` position (starting from the right).
+```toml
+[entryPoints]
+  [entryPoints.http]
+    address = ":80"
+
+    [entryPoints.http.clientIPStrategy]
+```
+ 
+```toml
+[entryPoints]
+  [entryPoints.http]
+    address = ":80"
+
+    [entryPoints.http.clientIPStrategy]
+      depth = 5
+```
+
+!!! note
+    - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then clientIP will be empty.
+    - If `depth` is lesser than or equal to 0, then the option is ignored.
+
+Examples:
+  
+| `X-Forwarded-For`                       | `depth` | clientIP     |
+|-----------------------------------------|---------|--------------|
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1`     | `"13.0.0.1"` |
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
+  
+### Excluded IPs
+
+Træfik will scan the `X-Forwarded-For` header (from the right) and pick the first IP not in the `excludedIPs` list.
+
+```toml
+[entryPoints]
+  [entryPoints.http]
+    address = ":80"
+
+    [entryPoints.http.clientIPStrategy]
+      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
+```
+
+!!! note
+    If `depth` is specified, `excludedIPs` is ignored.
+   
+Examples:
+
+| `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
+|-----------------------------------------|-----------------------|--------------|
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
+| `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
+
+### Default
+
+If there are no `depth` or `excludedIPs`, then the client IP is the IP of the computer that initiated the connection with the Træfik server (the remote address).
+
 ## ProxyProtocol

 To enable [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) support.
@ -524,4 +622,12 @@ Only IPs in `trustedIPs` will be authorized to trust the client forwarded header
      # Default: []
      #
      trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
+      
+      # Insecure mode
+      #
+      # Optional
+      # Default: false
+      #
+      # insecure = true
+
 ```