ipacl

package
v0.0.0-...-1592e7a Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 28, 2026 License: Apache-2.0 Imports: 10 Imported by: 0

README

Package cloudeng.io/webapp/ipacl

import cloudeng.io/webapp/ipacl

Functions

Func IsPrivateIP
func IsPrivateIP(ipStr string) bool

IsPrivateIP checks if the given IP address string is a private IP address. It returns true if the IP address is in a private range (RFC 1918 or RFC 4193) or is a loopback address. It also supports CIDR prefixes.

Func NewHandler
func NewHandler(handler http.Handler, allow, deny Contains, opts ...Option) http.Handler

NewHandler creates a new http.Handler that enforces allow and deny ACLs. The deny ACL takes precedence over the allow ACL. If no ACLs are supplied then the handler allows all requests. If the remote IP cannot be determined or parsed then the request is denied. If the request's remote IP address is not allowed by the ACL, a 403 Forbidden response is returned, otherwise the request is passed to the given handler.

Func RemoteAddrExtractor
func RemoteAddrExtractor(r *http.Request) (string, netip.Addr, error)

RemoteAddrExtractor returns the remote IP address from an HTTP request. It is the default AddressExtractor and is suitable for when a server is directly exposed to the internet.

Func XForwardedForExtractor
func XForwardedForExtractor(r *http.Request) (string, netip.Addr, error)

XForwardedForExtractor returns the IP address from the X-Forwarded-For header. It uses the first IP address in the list.

Types

Type ACL
type ACL struct {
	// contains filtered or unexported fields
}

ACL represents an IP address access control list.

Functions
func NewACL(addrs ...string) (*ACL, error)

NewACL creates a new ACL from a list of IP addresses or CIDR prefixes. Each entry in the addrs slice can be either a single IP address or a CIDR prefix. If a single IP address is provided, it is treated as a /32 (for IPv4) or /128 (for IPv6) prefix.

Methods
func (a *ACL) Contains(ip netip.Addr) bool

Contains returns whether the given IP address is allowed by the ACL.

Type AddressExtractor
type AddressExtractor func(r *http.Request) (string, netip.Addr, error)

AddressExtractor represents a function that extracts an IP address from an HTTP request.

Type Config
type Config struct {
	Addresses []string `yaml:"addresses" cmd:"list of ip addresses or cidr prefixes"`
	Direct    bool     `yaml:"direct" cmd:"set to true to use the requests.RemoteAddr"`   // Use the requests.RemoteAddr
	Proxy     bool     `yaml:"proxy" cmd:"set to true to use the X-Forwarded-For header"` // Use the X-Forwarded-For header
}

Config represents an IP address access control list configuration.

Methods
func (c Config) AddressExtractor() (AddressExtractor, error)

AddressExtractor returns an Option that sets the AddressExtractor.

func (c Config) NewACL() (*ACL, error)

NewACL creates a new ACL from the given configuration.

Type Contains
type Contains func(ip netip.Addr) bool

Contains represents a function that returns whether the given IP address is in the ACL.

Type Option
type Option func(o *options)

Option represents an option for NewACLHandler.

Functions
func WithAddressExtractor(extractor AddressExtractor) Option

WithAddressExtractor returns an Option that sets the AddressExtractor.

func WithCounters(deniedCounter, notAllowedCounter, errorCounter webapp.CounterInc) Option

WithCounters returns an Option that sets three Counters: 1. one that is incremented when a request is denied because the IP address is in the deny ACL 2. one that is incremented if the address is not in the allow ACL 3. one that is incremented on error

Type PrivateSubnet
type PrivateSubnet struct {
	// contains filtered or unexported fields
}

PrivateSubnet represents a set of private IP addresses defined by CIDR prefixes.

Functions
func NewPrivateSubnet(addrs ...string) (*PrivateSubnet, error)

NewPrivateSubnet creates a new PrivateSubnet from a list of CIDR prefixes or IP addresses.

Methods
func (ps *PrivateSubnet) Contains(addr string) bool

Contains checks if the given address (which may include an optional port) is contained within the private subnet.

Type SkipHandler
type SkipHandler struct {
	// contains filtered or unexported fields
}
Functions
func NewSkipHandler(allow, deny Contains, opts ...Option) *SkipHandler

NewSkipHandler creates a new SkipHandler that determines whether a request should be skipped based on the allowed and denied ACLs. The deny ACL takes precedence over the allow ACL. If no ACLs are supplied then the handler allows all requests. If the remote IP cannot be determined or parsed then the request is not skipped. A SkipHandler is often used to control/limit logging.

Methods
func (h *SkipHandler) Skip(r *http.Request) bool

Skip returns whether the request should be skipped based on the allowed and denied ACLs. A request is skipped if it is denied or not allowed.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func IsPrivateIP

func IsPrivateIP(ipStr string) bool

IsPrivateIP checks if the given IP address string is a private IP address. It returns true if the IP address is in a private range (RFC 1918 or RFC 4193) or is a loopback address. It also supports CIDR prefixes.

func NewHandler

func NewHandler(handler http.Handler, allow, deny Contains, opts ...Option) http.Handler

NewHandler creates a new http.Handler that enforces allow and deny ACLs. The deny ACL takes precedence over the allow ACL. If no ACLs are supplied then the handler allows all requests. If the remote IP cannot be determined or parsed then the request is denied. If the request's remote IP address is not allowed by the ACL, a 403 Forbidden response is returned, otherwise the request is passed to the given handler.

func RemoteAddrExtractor

func RemoteAddrExtractor(r *http.Request) (string, netip.Addr, error)

RemoteAddrExtractor returns the remote IP address from an HTTP request. It is the default AddressExtractor and is suitable for when a server is directly exposed to the internet.

func XForwardedForExtractor

func XForwardedForExtractor(r *http.Request) (string, netip.Addr, error)

XForwardedForExtractor returns the IP address from the X-Forwarded-For header. It uses the first IP address in the list.

Types

type ACL

type ACL struct {
	// contains filtered or unexported fields
}

ACL represents an IP address access control list.

func NewACL

func NewACL(addrs ...string) (*ACL, error)

NewACL creates a new ACL from a list of IP addresses or CIDR prefixes. Each entry in the addrs slice can be either a single IP address or a CIDR prefix. If a single IP address is provided, it is treated as a /32 (for IPv4) or /128 (for IPv6) prefix.

func (*ACL) Contains

func (a *ACL) Contains(ip netip.Addr) bool

Contains returns whether the given IP address is allowed by the ACL.

type AddressExtractor

type AddressExtractor func(r *http.Request) (string, netip.Addr, error)

AddressExtractor represents a function that extracts an IP address from an HTTP request.

type Config

type Config struct {
	Addresses []string `yaml:"addresses" cmd:"list of ip addresses or cidr prefixes"`
	Direct    bool     `yaml:"direct" cmd:"set to true to use the requests.RemoteAddr"`   // Use the requests.RemoteAddr
	Proxy     bool     `yaml:"proxy" cmd:"set to true to use the X-Forwarded-For header"` // Use the X-Forwarded-For header
}

Config represents an IP address access control list configuration.

func (Config) AddressExtractor

func (c Config) AddressExtractor() (AddressExtractor, error)

AddressExtractor returns an Option that sets the AddressExtractor.

func (Config) NewACL

func (c Config) NewACL() (*ACL, error)

NewACL creates a new ACL from the given configuration.

type Contains

type Contains func(ip netip.Addr) bool

Contains represents a function that returns whether the given IP address is in the ACL.

type Option

type Option func(o *options)

Option represents an option for NewACLHandler.

func WithAddressExtractor

func WithAddressExtractor(extractor AddressExtractor) Option

WithAddressExtractor returns an Option that sets the AddressExtractor.

func WithCounters

func WithCounters(deniedCounter, notAllowedCounter, errorCounter webapp.CounterInc) Option

WithCounters returns an Option that sets three Counters: 1. one that is incremented when a request is denied because the IP address is in the deny ACL 2. one that is incremented if the address is not in the allow ACL 3. one that is incremented on error

type PrivateSubnet

type PrivateSubnet struct {
	// contains filtered or unexported fields
}

PrivateSubnet represents a set of private IP addresses defined by CIDR prefixes.

func NewPrivateSubnet

func NewPrivateSubnet(addrs ...string) (*PrivateSubnet, error)

NewPrivateSubnet creates a new PrivateSubnet from a list of CIDR prefixes or IP addresses.

func (*PrivateSubnet) Contains

func (ps *PrivateSubnet) Contains(addr string) bool

Contains checks if the given address (which may include an optional port) is contained within the private subnet.

type SkipHandler

type SkipHandler struct {
	// contains filtered or unexported fields
}

func NewSkipHandler

func NewSkipHandler(allow, deny Contains, opts ...Option) *SkipHandler

NewSkipHandler creates a new SkipHandler that determines whether a request should be skipped based on the allowed and denied ACLs. The deny ACL takes precedence over the allow ACL. If no ACLs are supplied then the handler allows all requests. If the remote IP cannot be determined or parsed then the request is not skipped. A SkipHandler is often used to control/limit logging.

func (*SkipHandler) Skip

func (h *SkipHandler) Skip(r *http.Request) bool

Skip returns whether the request should be skipped based on the allowed and denied ACLs. A request is skipped if it is denied or not allowed.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL