README
¶
Package cloudeng.io/webapp/ipacl
import cloudeng.io/webapp/ipacl
Functions
Func NewHandler
func NewHandler(handler http.Handler, allow, deny Contains, opts ...Option) http.Handler
NewHandler creates a new http.Handler that enforces allow and deny ACLs. The deny ACL takes precedence over the allow ACL. If no ACLs are supplied then the handler allows all requests. If the remote IP cannot be determined or parsed then the request is denied. If the request's remote IP address is not allowed by the ACL, a 403 Forbidden response is returned, otherwise the request is passed to the given handler.
Func RemoteAddrExtractor
func RemoteAddrExtractor(r *http.Request) (string, netip.Addr, error)
RemoteAddrExtractor returns the remote IP address from an HTTP request. It is the default AddressExtractor and is suitable for when a server is directly exposed to the internet.
Func XForwardedForExtractor
func XForwardedForExtractor(r *http.Request) (string, netip.Addr, error)
XForwardedForExtractor returns the IP address from the X-Forwarded-For header. It uses the first IP address in the list.
Types
Type ACL
type ACL struct {
// contains filtered or unexported fields
}
ACL represents an IP address access control list.
Functions
func NewACL(addrs ...string) (*ACL, error)
NewACL creates a new ACL from a list of IP addresses or CIDR prefixes. Each entry in the addrs slice can be either a single IP address or a CIDR prefix. If a single IP address is provided, it is treated as a /32 (for IPv4) or /128 (for IPv6) prefix.
Methods
func (a *ACL) Contains(ip netip.Addr) bool
Contains returns whether the given IP address is allowed by the ACL.
Type AddressExtractor
type AddressExtractor func(r *http.Request) (string, netip.Addr, error)
AddressExtractor represents a function that extracts an IP address from an HTTP request.
Type Config
type Config struct {
Addresses []string `yaml:"addresses" cmd:"list of ip addresses or cidr prefixes"`
Direct bool `yaml:"direct" cmd:"set to true to use the requests.RemoteAddr"` // Use the requests.RemoteAddr
Proxy bool `yaml:"proxy" cmd:"set to true to use the X-Forwarded-For header"` // Use the X-Forwarded-For header
}
Config represents an IP address access control list configuration.
Methods
func (c Config) AddressExtractor() (AddressExtractor, error)
AddressExtractor returns an Option that sets the AddressExtractor.
func (c Config) NewACL() (*ACL, error)
NewACL creates a new ACL from the given configuration.
Type Contains
type Contains func(ip netip.Addr) bool
Contains represents a function that returns whether the given IP address is in the ACL.
Type Option
type Option func(o *options)
Option represents an option for NewACLHandler.
Functions
func WithAddressExtractor(extractor AddressExtractor) Option
WithAddressExtractor returns an Option that sets the AddressExtractor.
func WithCounters(deniedCounter, notAllowedCounter, errorCounter webapp.CounterInc) Option
WithCounters returns an Option that sets three Counters: 1. one that is incremented when a request is denied because the IP address is in the deny ACL 2. one that is incremented if the address is not in the allow ACL 3. one that is incremented on error
Documentation
¶
Index ¶
- func NewHandler(handler http.Handler, allow, deny Contains, opts ...Option) http.Handler
- func RemoteAddrExtractor(r *http.Request) (string, netip.Addr, error)
- func XForwardedForExtractor(r *http.Request) (string, netip.Addr, error)
- type ACL
- type AddressExtractor
- type Config
- type Contains
- type Option
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewHandler ¶
NewHandler creates a new http.Handler that enforces allow and deny ACLs. The deny ACL takes precedence over the allow ACL. If no ACLs are supplied then the handler allows all requests. If the remote IP cannot be determined or parsed then the request is denied. If the request's remote IP address is not allowed by the ACL, a 403 Forbidden response is returned, otherwise the request is passed to the given handler.
func RemoteAddrExtractor ¶
RemoteAddrExtractor returns the remote IP address from an HTTP request. It is the default AddressExtractor and is suitable for when a server is directly exposed to the internet.
Types ¶
type ACL ¶
type ACL struct {
// contains filtered or unexported fields
}
ACL represents an IP address access control list.
type AddressExtractor ¶
AddressExtractor represents a function that extracts an IP address from an HTTP request.
type Config ¶
type Config struct {
Addresses []string `yaml:"addresses" cmd:"list of ip addresses or cidr prefixes"`
Direct bool `yaml:"direct" cmd:"set to true to use the requests.RemoteAddr"` // Use the requests.RemoteAddr
Proxy bool `yaml:"proxy" cmd:"set to true to use the X-Forwarded-For header"` // Use the X-Forwarded-For header
}
Config represents an IP address access control list configuration.
func (Config) AddressExtractor ¶
func (c Config) AddressExtractor() (AddressExtractor, error)
AddressExtractor returns an Option that sets the AddressExtractor.
type Contains ¶
Contains represents a function that returns whether the given IP address is in the ACL.
type Option ¶
type Option func(o *options)
Option represents an option for NewACLHandler.
func WithAddressExtractor ¶
func WithAddressExtractor(extractor AddressExtractor) Option
WithAddressExtractor returns an Option that sets the AddressExtractor.
func WithCounters ¶
func WithCounters(deniedCounter, notAllowedCounter, errorCounter webapp.CounterInc) Option
WithCounters returns an Option that sets three Counters: 1. one that is incremented when a request is denied because the IP address is in the deny ACL 2. one that is incremented if the address is not in the allow ACL 3. one that is incremented on error
Source Files