Ability to use "X-Forwarded-For" as a source of IP for white list.
This commit is contained in:
Ludovic Fernandez
Traefiker Bot
parent
4802484729
commit
d2766b1b4f
50 changed files with 1496 additions and 599 deletions
|
|
@ -67,20 +67,23 @@ func (p *Provider) buildConfiguration() *types.Configuration {
|
|||
"getHealthCheckInterval": getFuncString(label.TraefikBackendHealthCheckInterval, ""),
|
||||
|
||||
// Frontend functions
|
||||
"getServiceNames": getServiceNames,
|
||||
"getServiceNameSuffix": getServiceNameSuffix,
|
||||
"getPassHostHeader": getFuncBoolService(label.SuffixFrontendPassHostHeader, label.DefaultPassHostHeaderBool),
|
||||
"getPassTLSCert": getFuncBoolService(label.SuffixFrontendPassTLSCert, label.DefaultPassTLSCert),
|
||||
"getPriority": getFuncIntService(label.SuffixFrontendPriority, label.DefaultFrontendPriorityInt),
|
||||
"getEntryPoints": getFuncSliceStringService(label.SuffixFrontendEntryPoints),
|
||||
"getFrontendRule": p.getFrontendRule,
|
||||
"getFrontendName": p.getFrontendName,
|
||||
"getBasicAuth": getFuncSliceStringService(label.SuffixFrontendAuthBasic),
|
||||
"getServiceNames": getServiceNames,
|
||||
"getServiceNameSuffix": getServiceNameSuffix,
|
||||
"getPassHostHeader": getFuncBoolService(label.SuffixFrontendPassHostHeader, label.DefaultPassHostHeaderBool),
|
||||
"getPassTLSCert": getFuncBoolService(label.SuffixFrontendPassTLSCert, label.DefaultPassTLSCert),
|
||||
"getPriority": getFuncIntService(label.SuffixFrontendPriority, label.DefaultFrontendPriorityInt),
|
||||
"getEntryPoints": getFuncSliceStringService(label.SuffixFrontendEntryPoints),
|
||||
"getFrontendRule": p.getFrontendRule,
|
||||
"getFrontendName": p.getFrontendName,
|
||||
"getBasicAuth": getFuncSliceStringService(label.SuffixFrontendAuthBasic),
|
||||
"getRedirect": getRedirect,
|
||||
"getErrorPages": getErrorPages,
|
||||
"getRateLimit": getRateLimit,
|
||||
"getHeaders": getHeaders,
|
||||
"getWhiteList": getWhiteList,
|
||||
|
||||
// TODO Deprecated [breaking]
|
||||
"getWhitelistSourceRange": getFuncSliceStringService(label.SuffixFrontendWhitelistSourceRange),
|
||||
"getRedirect": getRedirect,
|
||||
"getErrorPages": getErrorPages,
|
||||
"getRateLimit": getRateLimit,
|
||||
"getHeaders": getHeaders,
|
||||
}
|
||||
|
||||
v := url.Values{}
|
||||
|
|
@ -486,6 +489,20 @@ func (p *Provider) getServers(application marathon.Application, serviceName stri
|
|||
return servers
|
||||
}
|
||||
|
||||
func getWhiteList(application marathon.Application, serviceName string) *types.WhiteList {
|
||||
labels := getLabels(application, serviceName)
|
||||
|
||||
ranges := label.GetSliceStringValue(labels, getLabelName(serviceName, label.SuffixFrontendWhiteListSourceRange))
|
||||
if len(ranges) > 0 {
|
||||
return &types.WhiteList{
|
||||
SourceRange: ranges,
|
||||
UseXForwardedFor: label.GetBoolValue(labels, getLabelName(serviceName, label.SuffixFrontendWhiteListUseXForwardedFor), false),
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func getRedirect(application marathon.Application, serviceName string) *types.Redirect {
|
||||
labels := getLabels(application, serviceName)
|
||||
|
||||
|
|
|
|||
|
|
@ -206,7 +206,8 @@ func TestBuildConfigurationNonAPIErrors(t *testing.T) {
|
|||
withLabel(label.TraefikFrontendRedirectReplacement, "nope"),
|
||||
withLabel(label.TraefikFrontendRedirectPermanent, "true"),
|
||||
withLabel(label.TraefikFrontendRule, "Host:traefik.io"),
|
||||
withLabel(label.TraefikFrontendWhitelistSourceRange, "10.10.10.10"),
|
||||
withLabel(label.TraefikFrontendWhiteListSourceRange, "10.10.10.10"),
|
||||
withLabel(label.TraefikFrontendWhiteListUseXForwardedFor, "true"),
|
||||
|
||||
withLabel(label.TraefikFrontendRequestHeaders, "Access-Control-Allow-Methods:POST,GET,OPTIONS || Content-type: application/json; charset=utf-8"),
|
||||
withLabel(label.TraefikFrontendResponseHeaders, "Access-Control-Allow-Methods:POST,GET,OPTIONS || Content-type: application/json; charset=utf-8"),
|
||||
|
|
@ -268,8 +269,9 @@ func TestBuildConfigurationNonAPIErrors(t *testing.T) {
|
|||
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
|
||||
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
|
||||
},
|
||||
WhitelistSourceRange: []string{
|
||||
"10.10.10.10",
|
||||
WhiteList: &types.WhiteList{
|
||||
SourceRange: []string{"10.10.10.10"},
|
||||
UseXForwardedFor: true,
|
||||
},
|
||||
Headers: &types.Headers{
|
||||
CustomRequestHeaders: map[string]string{
|
||||
|
|
@ -498,7 +500,7 @@ func TestBuildConfigurationServicesNonAPIErrors(t *testing.T) {
|
|||
application: application(
|
||||
appPorts(80, 81),
|
||||
|
||||
//withLabel(label.TraefikBackend, "foobar"),
|
||||
// withLabel(label.TraefikBackend, "foobar"),
|
||||
|
||||
withLabel(label.TraefikBackendCircuitBreakerExpression, "NetworkErrorRatio() > 0.5"),
|
||||
withLabel(label.TraefikBackendHealthCheckPath, "/health"),
|
||||
|
|
@ -530,7 +532,8 @@ func TestBuildConfigurationServicesNonAPIErrors(t *testing.T) {
|
|||
withServiceLabel(label.TraefikFrontendRedirectReplacement, "nope", "containous"),
|
||||
withServiceLabel(label.TraefikFrontendRedirectPermanent, "true", "containous"),
|
||||
withServiceLabel(label.TraefikFrontendRule, "Host:traefik.io", "containous"),
|
||||
withServiceLabel(label.TraefikFrontendWhitelistSourceRange, "10.10.10.10", "containous"),
|
||||
withServiceLabel(label.TraefikFrontendWhiteListSourceRange, "10.10.10.10", "containous"),
|
||||
withServiceLabel(label.TraefikFrontendWhiteListUseXForwardedFor, "true", "containous"),
|
||||
|
||||
withServiceLabel(label.TraefikFrontendRequestHeaders, "Access-Control-Allow-Methods:POST,GET,OPTIONS || Content-type: application/json; charset=utf-8", "containous"),
|
||||
withServiceLabel(label.TraefikFrontendResponseHeaders, "Access-Control-Allow-Methods:POST,GET,OPTIONS || Content-type: application/json; charset=utf-8", "containous"),
|
||||
|
|
@ -591,8 +594,9 @@ func TestBuildConfigurationServicesNonAPIErrors(t *testing.T) {
|
|||
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
|
||||
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
|
||||
},
|
||||
WhitelistSourceRange: []string{
|
||||
"10.10.10.10",
|
||||
WhiteList: &types.WhiteList{
|
||||
SourceRange: []string{"10.10.10.10"},
|
||||
UseXForwardedFor: true,
|
||||
},
|
||||
Headers: &types.Headers{
|
||||
CustomRequestHeaders: map[string]string{
|
||||
|
|
@ -1627,6 +1631,107 @@ func TestGetServers(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestWhiteList(t *testing.T) {
|
||||
testCases := []struct {
|
||||
desc string
|
||||
application marathon.Application
|
||||
serviceName string
|
||||
expected *types.WhiteList
|
||||
}{
|
||||
{
|
||||
desc: "should return nil when no white list labels",
|
||||
application: application(
|
||||
appPorts(80),
|
||||
),
|
||||
expected: nil,
|
||||
},
|
||||
{
|
||||
desc: "should return a struct when only range",
|
||||
application: application(
|
||||
appPorts(80),
|
||||
withLabel(label.TraefikFrontendWhiteListSourceRange, "10.10.10.10"),
|
||||
),
|
||||
expected: &types.WhiteList{
|
||||
SourceRange: []string{
|
||||
"10.10.10.10",
|
||||
},
|
||||
UseXForwardedFor: false,
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "should return a struct when range and UseXForwardedFor",
|
||||
application: application(
|
||||
appPorts(80),
|
||||
withLabel(label.TraefikFrontendWhiteListSourceRange, "10.10.10.10"),
|
||||
withLabel(label.TraefikFrontendWhiteListUseXForwardedFor, "true"),
|
||||
),
|
||||
expected: &types.WhiteList{
|
||||
SourceRange: []string{
|
||||
"10.10.10.10",
|
||||
},
|
||||
UseXForwardedFor: true,
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "should return nil when only UseXForwardedFor",
|
||||
application: application(
|
||||
appPorts(80),
|
||||
withLabel(label.TraefikFrontendWhiteListUseXForwardedFor, "true"),
|
||||
),
|
||||
expected: nil,
|
||||
},
|
||||
// Service
|
||||
{
|
||||
desc: "should return a struct when only range on service",
|
||||
application: application(
|
||||
appPorts(80),
|
||||
withLabel(label.Prefix+"containous."+label.SuffixFrontendWhiteListSourceRange, "10.10.10.10"),
|
||||
),
|
||||
serviceName: "containous",
|
||||
expected: &types.WhiteList{
|
||||
SourceRange: []string{
|
||||
"10.10.10.10",
|
||||
},
|
||||
UseXForwardedFor: false,
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "should return a struct when range and UseXForwardedFor on service",
|
||||
application: application(
|
||||
appPorts(80),
|
||||
withLabel(label.Prefix+"containous."+label.SuffixFrontendWhiteListSourceRange, "10.10.10.10"),
|
||||
withLabel(label.Prefix+"containous."+label.SuffixFrontendWhiteListUseXForwardedFor, "true"),
|
||||
),
|
||||
serviceName: "containous",
|
||||
expected: &types.WhiteList{
|
||||
SourceRange: []string{
|
||||
"10.10.10.10",
|
||||
},
|
||||
UseXForwardedFor: true,
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "should return nil when only UseXForwardedFor on service",
|
||||
application: application(
|
||||
appPorts(80),
|
||||
withLabel(label.Prefix+"containous."+label.SuffixFrontendWhiteListUseXForwardedFor, "true"),
|
||||
),
|
||||
serviceName: "containous",
|
||||
expected: nil,
|
||||
},
|
||||
}
|
||||
|
||||
for _, test := range testCases {
|
||||
test := test
|
||||
t.Run(test.desc, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
actual := getWhiteList(test.application, test.serviceName)
|
||||
assert.Equal(t, test.expected, actual)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestGetRedirect(t *testing.T) {
|
||||
testCases := []struct {
|
||||
desc string
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue