api - whitelist IP/network for API
This commit is contained in:
parent
a3cfb50b4d
commit
5ce41edc03
|
@ -5,5 +5,5 @@ init_by_lua_block {
|
|||
ngx.log(ngx.ERR, "[Crowdsec] " .. err)
|
||||
error()
|
||||
end
|
||||
ngx.log(ngx.ERR, "[Crowdsec] Initialisation done")
|
||||
ngx.log(ngx.WARN, "[Crowdsec] Initialisation done")
|
||||
}
|
||||
|
|
|
@ -136,7 +136,7 @@ if use_crowdsec then
|
|||
ngx.log(ngx.ERR, "[Crowdsec] " .. err)
|
||||
end
|
||||
if not ok then
|
||||
ngx.log(ngx.ERR, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "'")
|
||||
ngx.log(ngx.WARN, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "'")
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
|
|
@ -128,4 +128,5 @@ ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}"
|
|||
USE_CROWDSEC="${USE_CROWDSEC-no}"
|
||||
USE_API="${USE_API-no}"
|
||||
API_URI="${API_URI-random}"
|
||||
API_WHITELIST_IP="${API_WHITELIST_IP-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
|
||||
SWARM_MODE="${SWARM_MODE-no}"
|
||||
|
|
|
@ -220,7 +220,8 @@ if [ "$USE_API" = "yes" ] ; then
|
|||
API_URI="/$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
|
||||
echo "[*] Generated API URI : $API_URI"
|
||||
fi
|
||||
replace_in_file "/etc/nginx/api.conf" "%API_URI%" "$API_URI"
|
||||
list=$(spaces_to_lua "$API_WHITELIST_IP")
|
||||
replace_in_file "/usr/local/lib/lua/api.lua" "%API_WHITELIST_IP%" "$list"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%USE_API%" ""
|
||||
fi
|
||||
|
|
|
@ -1,5 +1,8 @@
|
|||
local M = {}
|
||||
local api_list = {}
|
||||
local M = {}
|
||||
local api_list = {}
|
||||
local api_whitelist_ip = {%API_WHITELIST_IP%}
|
||||
local whitelist = iputils.parse_cidrs(api_whitelist_ip)
|
||||
local ip = ngx.var.remote_addr
|
||||
|
||||
api_list["^/ping$"] = function ()
|
||||
return true
|
||||
|
@ -10,7 +13,7 @@ api_list["^/reload$"] = function ()
|
|||
end
|
||||
|
||||
function M.is_api_call (api_uri)
|
||||
if ngx.var.request_uri:sub(1, #api_uri) .. "/" == api_uri .. "/" then
|
||||
if iputils.ip_in_cidrs(ip, whitelist) and ngx.var.request_uri:sub(1, #api_uri) .. "/" == api_uri .. "/" then
|
||||
for uri, code in pairs(api_list) do
|
||||
if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then
|
||||
return true
|
||||
|
|
|
@ -2,6 +2,7 @@ local M = {}
|
|||
local dns = require "dns"
|
||||
local iputils = require "resty.iputils"
|
||||
local ip_list = {%BLACKLIST_IP_LIST%}
|
||||
local blacklist = iputils.parse_cidrs(ip_list)
|
||||
local reverse_list = {%BLACKLIST_REVERSE_LIST%}
|
||||
local ip = ngx.var.remote_addr
|
||||
|
||||
|
@ -23,7 +24,6 @@ end
|
|||
|
||||
function M.check_ip ()
|
||||
if #ip_list > 0 then
|
||||
local blacklist = iputils.parse_cidrs(ip_list)
|
||||
if iputils.ip_in_cidrs(ip, blacklist) then
|
||||
ngx.shared.blacklist_ip_cache:set(ip, "ko", 86400)
|
||||
ngx.log(ngx.WARN, "ip " .. ip .. " is in blacklist")
|
||||
|
|
|
@ -3,6 +3,7 @@ local dns = require "dns"
|
|||
local iputils = require "resty.iputils"
|
||||
local ip_list = {%WHITELIST_IP_LIST%}
|
||||
local reverse_list = {%WHITELIST_REVERSE_LIST%}
|
||||
local whitelist = iputils.parse_cidrs(ip_list)
|
||||
local ip = ngx.var.remote_addr
|
||||
|
||||
function M.ip_cached_ok ()
|
||||
|
@ -23,7 +24,6 @@ end
|
|||
|
||||
function M.check_ip ()
|
||||
if #ip_list > 0 then
|
||||
local whitelist = iputils.parse_cidrs(ip_list)
|
||||
if iputils.ip_in_cidrs(ip, whitelist) then
|
||||
ngx.shared.whitelist_ip_cache:set(ip, "ok", 86400)
|
||||
ngx.log(ngx.WARN, "ip " .. ip .. " is in whitelist")
|
||||
|
|
Loading…
Reference in New Issue