IP Whitelists for Frontend (with Docker- & Kubernetes-Provider Support)

2017-04-30 11:22:07 +02:00 · 2017-04-30 11:22:07 +02:00 · 5f0b215e90
commit 5f0b215e90
parent 55f610422a
16 changed files with 731 additions and 14 deletions
--- a/server/server.go
+++ b/server/server.go
@ -716,6 +716,14 @@ func (server *Server) loadConfig(configurations configs, globalConfiguration Glo
 							negroni.Use(metricsMiddlewareBackend)
 						}
 					}
+					ipWhitelistMiddleware, err := configureIPWhitelistMiddleware(frontend.WhitelistSourceRange)
+					if err != nil {
+						log.Fatalf("Error creating IP Whitelister: %s", err)
+					} else if ipWhitelistMiddleware != nil {
+						negroni.Use(ipWhitelistMiddleware)
+						log.Infof("Configured IP Whitelists: %s", frontend.WhitelistSourceRange)
+					}
+
 					if len(frontend.BasicAuth) > 0 {
 						users := types.Users{}
 						for _, user := range frontend.BasicAuth {
@ -770,6 +778,21 @@ func (server *Server) loadConfig(configurations configs, globalConfiguration Glo
 	return serverEntryPoints, nil
 }

+func configureIPWhitelistMiddleware(whitelistSourceRanges []string) (negroni.Handler, error) {
+	if len(whitelistSourceRanges) > 0 {
+		ipSourceRanges := whitelistSourceRanges
+		ipWhitelistMiddleware, err := middlewares.NewIPWhitelister(ipSourceRanges)
+
+		if err != nil {
+			return nil, err
+		}
+
+		return ipWhitelistMiddleware, nil
+	}
+
+	return nil, nil
+}
+
 func (server *Server) wireFrontendBackend(serverRoute *serverRoute, handler http.Handler) {
 	// path replace - This needs to always be the very last on the handler chain (first in the order in this function)
 	// -- Replacing Path should happen at the very end of the Modifier chain, after all the Matcher+Modifiers ran
--- a/server/server_test.go
+++ b/server/server_test.go
@ -14,6 +14,8 @@ import (
 	"github.com/containous/traefik/testhelpers"
 	"github.com/containous/traefik/types"
 	"github.com/davecgh/go-spew/spew"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"github.com/vulcand/oxy/roundrobin"
 )

@ -242,6 +244,57 @@ func TestServerParseHealthCheckOptions(t *testing.T) {
 	}
 }

+func TestNewServerWithWhitelistSourceRange(t *testing.T) {
+	cases := []struct {
+		desc                 string
+		whitelistStrings     []string
+		middlewareConfigured bool
+		errMessage           string
+	}{
+		{
+			desc:                 "no whitelists configued",
+			whitelistStrings:     nil,
+			middlewareConfigured: false,
+			errMessage:           "",
+		}, {
+			desc: "whitelists configued",
+			whitelistStrings: []string{
+				"1.2.3.4/24",
+				"fe80::/16",
+			},
+			middlewareConfigured: true,
+			errMessage:           "",
+		}, {
+			desc: "invalid whitelists configued",
+			whitelistStrings: []string{
+				"foo",
+			},
+			middlewareConfigured: false,
+			errMessage:           "parsing CIDR whitelist <nil>: invalid CIDR address: foo",
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+		t.Run(tc.desc, func(t *testing.T) {
+			t.Parallel()
+			middleware, err := configureIPWhitelistMiddleware(tc.whitelistStrings)
+
+			if tc.errMessage != "" {
+				require.EqualError(t, err, tc.errMessage)
+			} else {
+				assert.NoError(t, err)
+
+				if tc.middlewareConfigured {
+					require.NotNil(t, middleware, "not expected middleware to be configured")
+				} else {
+					require.Nil(t, middleware, "expected middleware to be configured")
+				}
+			}
+		})
+	}
+}
+
 func TestServerLoadConfigEmptyBasicAuth(t *testing.T) {
 	globalConfig := GlobalConfiguration{
 		EntryPoints: EntryPoints{