search

diennea / carapaceproxy

A Distributed Java Reverse Proxy
Apache License 2.0
24 stars 8 forks source link

Introduce Access control list based on IP address #441

Open hamadodene opened 1 year ago

hamadodene commented 1 year ago

The idea is to introduce ACLs in Carapace based on the client's IP address. I would propose the following logic:

1- Listener level ACL 2- Global ACLs

Listener-level ACLs: For a specific listener, it should be possible to specify allow and deny IPs. Something like:

listener.1.allow=127.0.0.1, 192.168.10.0/24
listerner.1.deny=127.0.0.2,192.167.10.0/24

Global ACLs

carapace.acl.allow=127.0.0.1, 192.168.10.0/24
carapace.acl.deny=127.0.0.2,192.167.10.0/24

1- If allow is not specified at listener level, then check if globally they are specified. If yes, check if the IP is enabled. 2- If instead it is specified in the listener, only the configured IPs are taken into consideration. 3- If nothing is specified, everyone passes 4- If deny is specified in the listener, the corresponding IPs are blocked. Otherwise, it checks the global config. If nothing is specified, nothing blocks.