Common access control rules for all routes

[vinodbala]

Does Fabio include support for common access control rules for (a) all routes and/or (b) subset of rules ?

Use case: I want to allow a specific IP address (say admin traffic) for all my consul services along with the configured IP whitelists per route. I want to avoid configuring the IP address in each of the route's "allow" option.

Looking forward to your response. Thanks.

[aaronhurt]

Currently the ACLs are only configurable per route. If you would like to control access to the entire project I'd suggest looking into system level firewalling. The idea of allowing a person to "group" rules and apply the same policy is intriguing. Maybe we could leverage consul and/or for something like this in a future feature addition.

[vinodbala]

Thanks for prompt response @leprechau. Thanks for considering the idea of enforcing group rules. On the idea of using system level firewalling for all services, wouldn't Fabio still block traffic from a "firewall whitelisted" IP address unless its route for the service was configured with the specific IP ?

[aaronhurt]

@vinodbala Yes, if you had route level rules applied and the traffic was allowed to reach Fabio then the route rule would still be applied. My point towards the system firewall was in reference to the "global" rules.

[vinodbala]

@leprechau Got it. The solution you mention work well for blacklisting IPs. The one I am struggling with is the following. I want to whitelist a group of "admin" IPs for all services along with an individual unique set of whitelisted IPs for each service. Hope that makes sense. Any ideas would be appreciated.

[aaronhurt]

By whitelist do you mean block everyone except the "admin" group? In addition for each service you then want to be even more exclusive?

Example....

System firewall:

$adminIps = { 1.2.3.0/24, 4.5.6.7/32 }
block all tcp in on {80, 443}
allow tcp in on {80, 443} from $adminIps

In Fabio:

route /foo (no restrictions - should only be hit by $adminIps from system rules)
route /bob allow=ip:4.5.6.7/32 (this would only allow 4.5.6.7/32 but not anyone from 1.2.3.0/24 that was allowed in the system rules)

Is that what you are wanting to do?

[vinodbala]

@leprechau What I want is:

System firewall:

$maliciousIps = { 1.2.3.0/24, 4.5.6.7/32 } block all tcp in on {80, 443} from $maliciousIps allow tcp in on {80, 443}

In Fabio:

$adminIps = { 50.1.2.3/24, 75.1.2.3/32 } route /foo allow IP-A IP-B $adminIPs route /bar allow IP-C $adminIPs route /bob IP-D IP-A $adminIPs

Instead of mentioning $adminIPs in each route can I configure it in one single place ?

[aaronhurt]

No, not currently. The ACL option is per route.

[vinodbala]

@leprechau Understood. Thanks for taking the time. It would be cool to see some form of "group policy" for rules in the future. Appreciate your input here.

[vinodbala]

Accidentally closed this - will leave it open as it is labelled "enhancement".