Ability to whitelist IP ranges

porech / caddy-maxmind-geolocation

Caddy v2 module to filter requests based on source IP geolocation

100 stars 14 forks source link

Ability to whitelist IP ranges #11

Closed muety closed 2 years ago

muety commented 2 years ago

Would be cool to exclude certain IP ranges (e.g. 192.168.0.0/16) from the checks. I tried to combine maxmind_geolocation together with remote_ip matcher, but couldn't find a way to OR them as part of the same named matcher.

p-rintz commented 2 years ago

The remote_ip matcher should be working.

I have it working like this:

(GEOFILTER) {
        @geofilter {
                not maxmind_geolocation {
                        db_path "/usr/share/GeoIP/GeoLite2-Country.mmdb"
                        allow_countries DE
                }
                not remote_ip 10.0.0.0/24
        }
        respond @geofilter 403
}

test.org:443 {
        log
        import GEOFILTER
        file_server * {
                root /var/www
        }
}

m2acgi commented 11 months ago

@p-rintz How to match (remote_ip 10.0.0.0/24) OR (allow_countries DE) ?

p-rintz commented 11 months ago

That would be what I have in my example above.

The example allows the 10.0.0.0/24 range and traffic from Germany.

m2acgi commented 11 months ago

Your example is (not remote_ip 10.0.0.0/24) AND (not allow_countries DE), but I want (remote_ip 10.0.0.0/24) OR (allow_countries DE)

p-rintz commented 11 months ago

Haven't used caddy in months, so no idea then.Sorry.

dJani97 commented 2 weeks ago

Your example is (not remote_ip 10.0.0.0/24) AND (not allow_countries DE), but I want (remote_ip 10.0.0.0/24) OR (allow_countries DE)

I think those are the same thing, just phrased differently. Blocking (NOT Germany) AND (NOT local) is the same as allowing Germany or local.

m2acgi commented 5 days ago

@dJani97 Thanks!