Feature: Add restriction of client src IPs

[aisbergg]

A nice feature would be the possibility to restrict the access to certain services (e.g. admin interfaces) to certain client src IPs. I would like restrict some adminstration services to only be available when accessed by Local IP.

So using labels on the specific containers like:

services:
  phpmyadmin:
    ...
    deploy:
      labels:
        # restrict access from clients via IP
        - com.df.allowedSrc=10.0.0.0/16 172.16.0.0/12
        # restrict access from clients via port
        - com.df.allowedSrcPort=0:1023

should result in haproxy.cfg like:

acl allowedSrc_global_phpmyadmin8080_0 src 10.0.0.0/16 172.16.0.0/12
acl allowedSrcPort_global_phpmyadmin8080_0_port src_port 0:1023
use_backend global_phpmyadmin-be8080_0 if ... allowedSrc_global_phpmyadmin8080_0 allowedSrcPort_global_phpmyadmin8080_0

[thomasjpfan]

This feature is not too difficult to add. If you want to give this a try, I suggest starting with com.df.allowedSrc first.

[aisbergg]

I know this extra two variables would be rather simple to implment. In addition to adding the code a new test must be written, I don't have experience with Golang so it would take me a while and the solution wouldn't be as clean as I would prefer.

[remy-tiitre]

Just a side note, you have to publish your docker flow proxy to host port if you want to see the real source ip. When you use dockers ingress network you will lose the source ip and see the ingress ip instead.

[vfarcic]

This project needs adoption. I moved to Kubernetes and cannot dedicate time to this project anymore. Similarly, involvement from other contributors dropped as well. Please consider contributing yourself if you think this project is useful.

[lle0x]

Dear @aisbergg

If this issue is still relevant, please feel free to leave a comment here.