zuavra / nginx-ip-whitelister

Backend for ngx_http_auth_request_module that whitelists remote IP address if a key is presented in URL.
MIT License
47 stars 3 forks source link

Disable /approve functionality #32

Open kalipso-cyber opened 3 months ago

kalipso-cyber commented 3 months ago

Hey,

love the project and thank you for the detailed documentation!

Regarding this:

You can also use /approve to always unconditionally pass the check, and /reject to always unconditionally fail the check (for integration tests).

I've just checked and it seems that this always works. Is there an option to somehow disable this behaviour? Otherwise it becomes fairly trivial for anyone to circumvent the whitelist, which adds a major pain point to the otherwise - for my usecase - bearable consequences of using IP-based authentication.

EDIT: Forgot to mention that in general, the whitelister is working marvelously! Very easy to set up, very functional, nicely documented - again, thank you very much. I'm really loving this!

zuavra commented 3 months ago

You're welcome, glad to hear!

The /approve and /reject endpoints can only be used by you, if you decide to put them in your Nginx config instead of /verify. They can't be used by someone accessing your main service because they can't change your Nginx config.

If your visitors can access /approve and /reject it's not a problem because they are read-only endpoints that always say true or false. However make sure they can't access /admin/whitelist and /admin/delete. Ideally none of the validator endpoints should be reachable by regular visitors, only Nginx should be able to reach them.

kalipso-cyber commented 2 months ago

Oh ok, thanks for clarifying. I'll verify that it works as expected then and report back if I notice anything odd!