Add rejectStatusCode option to IPAllowList middleware
This commit is contained in:
Jeremy Fleischman
GitHub
parent
fea94a3393
commit
ccf3a9995a
12 changed files with 108 additions and 12 deletions
|
|
@ -20,10 +20,11 @@ const (
|
|||
|
||||
// ipAllowLister is a middleware that provides Checks of the Requesting IP against a set of Allowlists.
|
||||
type ipAllowLister struct {
|
||||
next http.Handler
|
||||
allowLister *ip.Checker
|
||||
strategy ip.Strategy
|
||||
name string
|
||||
next http.Handler
|
||||
allowLister *ip.Checker
|
||||
strategy ip.Strategy
|
||||
name string
|
||||
rejectStatusCode int
|
||||
}
|
||||
|
||||
// New builds a new IPAllowLister given a list of CIDR-Strings to allow.
|
||||
|
|
@ -35,6 +36,14 @@ func New(ctx context.Context, next http.Handler, config dynamic.IPAllowList, nam
|
|||
return nil, errors.New("sourceRange is empty, IPAllowLister not created")
|
||||
}
|
||||
|
||||
rejectStatusCode := config.RejectStatusCode
|
||||
// If RejectStatusCode is not given, default to Forbidden (403).
|
||||
if rejectStatusCode == 0 {
|
||||
rejectStatusCode = http.StatusForbidden
|
||||
} else if http.StatusText(rejectStatusCode) == "" {
|
||||
return nil, fmt.Errorf("invalid HTTP status code %d", rejectStatusCode)
|
||||
}
|
||||
|
||||
checker, err := ip.NewChecker(config.SourceRange)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("cannot parse CIDRs %s: %w", config.SourceRange, err)
|
||||
|
|
@ -48,10 +57,11 @@ func New(ctx context.Context, next http.Handler, config dynamic.IPAllowList, nam
|
|||
logger.Debug().Msgf("Setting up IPAllowLister with sourceRange: %s", config.SourceRange)
|
||||
|
||||
return &ipAllowLister{
|
||||
strategy: strategy,
|
||||
allowLister: checker,
|
||||
next: next,
|
||||
name: name,
|
||||
strategy: strategy,
|
||||
allowLister: checker,
|
||||
next: next,
|
||||
name: name,
|
||||
rejectStatusCode: rejectStatusCode,
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
|
@ -69,7 +79,7 @@ func (al *ipAllowLister) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
|
|||
msg := fmt.Sprintf("Rejecting IP %s: %v", clientIP, err)
|
||||
logger.Debug().Msg(msg)
|
||||
tracing.SetStatusErrorf(req.Context(), msg)
|
||||
reject(ctx, rw)
|
||||
reject(ctx, al.rejectStatusCode, rw)
|
||||
return
|
||||
}
|
||||
logger.Debug().Msgf("Accepting IP %s", clientIP)
|
||||
|
|
@ -77,9 +87,7 @@ func (al *ipAllowLister) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
|
|||
al.next.ServeHTTP(rw, req)
|
||||
}
|
||||
|
||||
func reject(ctx context.Context, rw http.ResponseWriter) {
|
||||
statusCode := http.StatusForbidden
|
||||
|
||||
func reject(ctx context.Context, statusCode int, rw http.ResponseWriter) {
|
||||
rw.WriteHeader(statusCode)
|
||||
_, err := rw.Write([]byte(http.StatusText(statusCode)))
|
||||
if err != nil {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue