Documentation
¶
Index ¶
- func IsPrivateIP(ipStr string) bool
- func NewHandler(handler http.Handler, allow, deny Contains, opts ...Option) http.Handler
- func RemoteAddrExtractor(r *http.Request) (string, netip.Addr, error)
- func XForwardedForExtractor(r *http.Request) (string, netip.Addr, error)
- type ACL
- type AddressExtractor
- type Config
- type Contains
- type Option
- type PrivateSubnet
- type SkipHandler
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func IsPrivateIP ¶
IsPrivateIP checks if the given IP address string is a private IP address. It returns true if the IP address is in a private range (RFC 1918 or RFC 4193) or is a loopback address. It also supports CIDR prefixes.
func NewHandler ¶
NewHandler creates a new http.Handler that enforces allow and deny ACLs. The deny ACL takes precedence over the allow ACL. If no ACLs are supplied then the handler allows all requests. If the remote IP cannot be determined or parsed then the request is denied. If the request's remote IP address is not allowed by the ACL, a 403 Forbidden response is returned, otherwise the request is passed to the given handler.
func RemoteAddrExtractor ¶
RemoteAddrExtractor returns the remote IP address from an HTTP request. It is the default AddressExtractor and is suitable for when a server is directly exposed to the internet.
Types ¶
type ACL ¶
type ACL struct {
// contains filtered or unexported fields
}
ACL represents an IP address access control list.
type AddressExtractor ¶
AddressExtractor represents a function that extracts an IP address from an HTTP request.
type Config ¶
type Config struct {
Addresses []string `yaml:"addresses" cmd:"list of ip addresses or cidr prefixes"`
Direct bool `yaml:"direct" cmd:"set to true to use the requests.RemoteAddr"` // Use the requests.RemoteAddr
Proxy bool `yaml:"proxy" cmd:"set to true to use the X-Forwarded-For header"` // Use the X-Forwarded-For header
}
Config represents an IP address access control list configuration.
func (Config) AddressExtractor ¶
func (c Config) AddressExtractor() (AddressExtractor, error)
AddressExtractor returns an Option that sets the AddressExtractor.
type Contains ¶
Contains represents a function that returns whether the given IP address is in the ACL.
type Option ¶
type Option func(o *options)
Option represents an option for NewACLHandler.
func WithAddressExtractor ¶
func WithAddressExtractor(extractor AddressExtractor) Option
WithAddressExtractor returns an Option that sets the AddressExtractor.
func WithCounters ¶
func WithCounters(deniedCounter, notAllowedCounter, errorCounter webapp.CounterInc) Option
WithCounters returns an Option that sets three Counters: 1. one that is incremented when a request is denied because the IP address is in the deny ACL 2. one that is incremented if the address is not in the allow ACL 3. one that is incremented on error
type PrivateSubnet ¶
type PrivateSubnet struct {
// contains filtered or unexported fields
}
PrivateSubnet represents a set of private IP addresses defined by CIDR prefixes.
func NewPrivateSubnet ¶
func NewPrivateSubnet(addrs ...string) (*PrivateSubnet, error)
NewPrivateSubnet creates a new PrivateSubnet from a list of CIDR prefixes or IP addresses.
func (*PrivateSubnet) Contains ¶
func (ps *PrivateSubnet) Contains(addr string) bool
Contains checks if the given address (which may include an optional port) is contained within the private subnet.
type SkipHandler ¶
type SkipHandler struct {
// contains filtered or unexported fields
}
func NewSkipHandler ¶
func NewSkipHandler(allow, deny Contains, opts ...Option) *SkipHandler
NewSkipHandler creates a new SkipHandler that determines whether a request should be skipped based on the allowed and denied ACLs. The deny ACL takes precedence over the allow ACL. If no ACLs are supplied then the handler allows all requests. If the remote IP cannot be determined or parsed then the request is not skipped. A SkipHandler is often used to control/limit logging.