feature request: IP based access controls

[timmyhu]

At present, although it has the function of httppassword/tls authentication , it lacks the function of IP black and white list. For example, for the upload scenario, we want to control it on the server side. Only cicd integrated environment can upload. But dev environment can only read from the cache and uploading is not allowed.

[mostynb]

Hi,

One way that you can achieve this is to setup a http reverse proxy which only allows GET and HEAD requests, and use firewall rules to allow your CI machines to talk directly to bazel-remote while redirecting other clients to the proxy. One benefit of this setup is that it's easy to update the firewall rules without restarting bazel-remote.

Here's an example of a simple reverse http proxy written in Go that you could modify to do this (check the request method, only call proxy.ServeHTTP for GET or HEAD and write an unauthorized error for anything else): https://www.integralist.co.uk/posts/golang-reverse-proxy/#simple

[timmyhu]

Hi mostynb,

Sincerely thanks for dear mostynb's advice, it is a good point, but I think it would be more valuable if IP black and white list is provided, as follows:

1. In order to be highly available,two processes are needed at least. so adding proxy server will increase machine cost, and also the complexity of operation and maintenance cost.
2. there will be some performance loss if we add extra network hop.

so if cost performance is take into acount, ip white list maybe will help us indeed.

thanks!!