api - whitelist IP/network for API

2021-04-26 22:22:34 +02:00 · 2021-04-26 22:22:34 +02:00 · 5ce41edc03
parent a3cfb50b4d
commit 5ce41edc03
7 changed files with 13 additions and 8 deletions
--- a/confs/global/crowdsec.conf
+++ b/confs/global/crowdsec.conf
@ -5,5 +5,5 @@ init_by_lua_block {
 		ngx.log(ngx.ERR, "[Crowdsec] " .. err)
 		error()
 	end
-	ngx.log(ngx.ERR, "[Crowdsec] Initialisation done")
+	ngx.log(ngx.WARN, "[Crowdsec] Initialisation done")
 }
--- a/confs/site/main-lua.conf
+++ b/confs/site/main-lua.conf
@ -136,7 +136,7 @@ if use_crowdsec then
 		ngx.log(ngx.ERR, "[Crowdsec] " .. err)
 	end
 	if not ok then
-		ngx.log(ngx.ERR, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "'")
+		ngx.log(ngx.WARN, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "'")
 		ngx.exit(ngx.HTTP_FORBIDDEN)
 	end
 end
--- a/entrypoint/defaults.sh
+++ b/entrypoint/defaults.sh
@ -128,4 +128,5 @@ ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}"
 USE_CROWDSEC="${USE_CROWDSEC-no}"
 USE_API="${USE_API-no}"
 API_URI="${API_URI-random}"
+API_WHITELIST_IP="${API_WHITELIST_IP-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
 SWARM_MODE="${SWARM_MODE-no}"
--- a/entrypoint/global-config.sh
+++ b/entrypoint/global-config.sh
@ -220,7 +220,8 @@ if [ "$USE_API" = "yes" ] ; then
 		API_URI="/$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
 		echo "[*] Generated API URI : $API_URI"
 	fi
-	replace_in_file "/etc/nginx/api.conf" "%API_URI%" "$API_URI"
+	list=$(spaces_to_lua "$API_WHITELIST_IP")
+	replace_in_file "/usr/local/lib/lua/api.lua" "%API_WHITELIST_IP%" "$list"
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%USE_API%" ""
 fi
--- a/lua/api.lua
+++ b/lua/api.lua
@ -1,5 +1,8 @@
-local M		= {}
-local api_list	= {}
+local M			= {}
+local api_list		= {}
+local api_whitelist_ip	= {%API_WHITELIST_IP%}
+local whitelist		= iputils.parse_cidrs(api_whitelist_ip)
+local ip		= ngx.var.remote_addr

 api_list["^/ping$"] = function ()
 	return true
@ -10,7 +13,7 @@ api_list["^/reload$"] = function ()
 end

 function M.is_api_call (api_uri)
-	if ngx.var.request_uri:sub(1, #api_uri) .. "/" == api_uri .. "/" then
+	if iputils.ip_in_cidrs(ip, whitelist) and ngx.var.request_uri:sub(1, #api_uri) .. "/" == api_uri .. "/" then
 		for uri, code in pairs(api_list) do
 			if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then
 				return true
--- a/lua/blacklist.lua
+++ b/lua/blacklist.lua
@ -2,6 +2,7 @@ local M			= {}
 local dns		= require "dns"
 local iputils		= require "resty.iputils"
 local ip_list 		= {%BLACKLIST_IP_LIST%}
+local blacklist		= iputils.parse_cidrs(ip_list)
 local reverse_list	= {%BLACKLIST_REVERSE_LIST%}
 local ip		= ngx.var.remote_addr

@ -23,7 +24,6 @@ end

 function M.check_ip ()
 	if #ip_list > 0 then
-		local blacklist = iputils.parse_cidrs(ip_list)
 		if iputils.ip_in_cidrs(ip, blacklist) then
 			ngx.shared.blacklist_ip_cache:set(ip, "ko", 86400)
 			ngx.log(ngx.WARN, "ip " .. ip .. " is in blacklist")
--- a/lua/whitelist.lua
+++ b/lua/whitelist.lua
@ -3,6 +3,7 @@ local dns		= require "dns"
 local iputils		= require "resty.iputils"
 local ip_list 		= {%WHITELIST_IP_LIST%}
 local reverse_list	= {%WHITELIST_REVERSE_LIST%}
+local whitelist		= iputils.parse_cidrs(ip_list)
 local ip		= ngx.var.remote_addr

 function M.ip_cached_ok ()
@ -23,7 +24,6 @@ end

 function M.check_ip ()
 	if #ip_list > 0 then
-		local whitelist = iputils.parse_cidrs(ip_list)
 		if iputils.ip_in_cidrs(ip, whitelist) then
 			ngx.shared.whitelist_ip_cache:set(ip, "ok", 86400)
 			ngx.log(ngx.WARN, "ip " .. ip .. " is in whitelist")