Open kalipso-cyber opened 3 months ago
You're welcome, glad to hear!
The /approve
and /reject
endpoints can only be used by you, if you decide to put them in your Nginx config instead of /verify
. They can't be used by someone accessing your main service because they can't change your Nginx config.
If your visitors can access /approve
and /reject
it's not a problem because they are read-only endpoints that always say true or false. However make sure they can't access /admin/whitelist
and /admin/delete
. Ideally none of the validator endpoints should be reachable by regular visitors, only Nginx should be able to reach them.
Oh ok, thanks for clarifying. I'll verify that it works as expected then and report back if I notice anything odd!
Hey,
love the project and thank you for the detailed documentation!
Regarding this:
I've just checked and it seems that this always works. Is there an option to somehow disable this behaviour? Otherwise it becomes fairly trivial for anyone to circumvent the whitelist, which adds a major pain point to the otherwise - for my usecase - bearable consequences of using IP-based authentication.
EDIT: Forgot to mention that in general, the whitelister is working marvelously! Very easy to set up, very functional, nicely documented - again, thank you very much. I'm really loving this!