CIDR support with whitelist/blacklist IP

2021-04-09 14:10:17 +02:00 · 2021-04-09 14:10:17 +02:00 · e190167bfc
parent 31e72dce1c
commit e190167bfc
5 changed files with 22 additions and 21 deletions
--- a/README.md
+++ b/README.md
@ -1,4 +1,4 @@
-<p align="center">
+bla<p align="center">
 	<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/logo.png?raw=true" width="425" />
 </p>

@ -1173,10 +1173,10 @@ Context : *global*, *multisite*
 If set to *yes*, lets you define custom IP addresses to be whitelisted through the `WHITELIST_IP_LIST` environment variable.

 `WHITELIST_IP_LIST`  
-Values : *\<list of IP addresses separated with spaces\>*  
+Values : *\<list of IP addresses and/or network CIDR blocks separated with spaces\>*  
 Default value : *23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8*  
 Context : *global*  
-The list of IP addresses to whitelist when `USE_WHITELIST_IP` is set to *yes*. The default list contains IP addresses of the [DuckDuckGo crawler](https://help.duckduckgo.com/duckduckgo-help-pages/results/duckduckbot/).
+The list of IP addresses and/or network CIDR blocks to whitelist when `USE_WHITELIST_IP` is set to *yes*. The default list contains IP addresses of the [DuckDuckGo crawler](https://help.duckduckgo.com/duckduckgo-help-pages/results/duckduckbot/).

 `USE_WHITELIST_REVERSE`  
 Values : *yes* | *no*  
@ -1211,10 +1211,10 @@ Context : *global*, *multisite*
 If set to *yes*, lets you define custom IP addresses to be blacklisted through the `BLACKLIST_IP_LIST` environment variable.

 `BLACKLIST_IP_LIST`  
-Values : *\<list of IP addresses separated with spaces\>*  
+Values : *\<list of IP addresses and/or network CIDR blocks separated with spaces\>*  
 Default value :  
 Context : *global*  
-The list of IP addresses to blacklist when `USE_BLACKLIST_IP` is set to *yes*.
+The list of IP addresses and/or network CIDR blocks to blacklist when `USE_BLACKLIST_IP` is set to *yes*.

 `USE_BLACKLIST_REVERSE`  
 Values : *yes* | *no*  
--- a/compile.sh
+++ b/compile.sh
@ -137,6 +137,9 @@ sed -i 's/require "lrucache"/require "resty.lrucache"/' /usr/local/lib/lua/crowd
 sed -i 's/require "config"/require "crowdsec.config"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
 cd /tmp
 git_secure_clone https://github.com/openresty/lua-nginx-module.git 2d23bc4f0a29ed79aaaa754c11bffb1080aa44ba
+cd /tmp
+git_secure_clone https://github.com/hamishforbes/lua-resty-iputils.git 3151d6485e830421266eee5c0f386c32c835dba4
+make LUA_LIB_DIR=/usr/local/lib/lua install
 export LUAJIT_LIB=/usr/local/lib
 export LUAJIT_INC=/usr/local/include/luajit-2.1

--- a/entrypoint/site-config.sh
+++ b/entrypoint/site-config.sh
@ -353,9 +353,7 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GE
 			FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
 		else
 			FIRST_SERVER_NAME="$first_server"
-			if [ "$EMAIL_LETS_ENCRYPT" == "" ] ; then
-				EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$first_server}"
-			fi
+			EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$first_server}"
 			echo -n "$EMAIL_LETS_ENCRYPT" > ${NGINX_PREFIX}email-lets-encrypt.txt
 		fi
 		replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem"
--- a/lua/blacklist.lua
+++ b/lua/blacklist.lua
@ -1,5 +1,6 @@
 local M			= {}
 local dns		= require "dns"
+local iputils		= require "resty.iputils"
 local ip_list 		= {%BLACKLIST_IP_LIST%}
 local reverse_list	= {%BLACKLIST_REVERSE_LIST%}
 local ip		= ngx.var.remote_addr
@ -21,12 +22,11 @@ function M.reverse_cached ()
 end

 function M.check_ip ()
-	for k, v in ipairs(ip_list) do
-		if v == ip then
-			ngx.shared.blacklist_ip_cache:set(ip, "ko", 86400)
-			ngx.log(ngx.WARN, "ip " .. ip .. " is in blacklist")
-			return true
-		end
+	local blacklist = iputils.parse_cidrs(ip_list)
+	if iputils.ip_in_cidrs(ip, blacklist) then
+		ngx.shared.blacklist_ip_cache:set(ip, "ko", 86400)
+		ngx.log(ngx.WARN, "ip " .. ip .. " is in blacklist")
+		return true
 	end
 	ngx.shared.blacklist_ip_cache:set(ip, "ok", 86400)
 	return false
--- a/lua/whitelist.lua
+++ b/lua/whitelist.lua
@ -1,5 +1,6 @@
 local M			= {}
 local dns		= require "dns"
+local iputils		= require "resty.iputils"
 local ip_list 		= {%WHITELIST_IP_LIST%}
 local reverse_list	= {%WHITELIST_REVERSE_LIST%}
 local ip		= ngx.var.remote_addr
@ -21,13 +22,12 @@ function M.reverse_cached ()
 end

 function M.check_ip ()
-	for k, v in ipairs(ip_list) do
-		if v == ip then
-			ngx.shared.whitelist_ip_cache:set(ip, "ok", 86400)
-			ngx.log(ngx.WARN, "ip " .. ip .. " is in whitelist")
-			return true
-		end
-	end
+	local whitelist = iputils.parse_cidrs(ip_list)
+	if iputils.ip_in_cidrs(ip, whitelist) then
+		ngx.shared.whitelist_ip_cache:set(ip, "ok", 86400)
+		ngx.log(ngx.WARN, "ip " .. ip .. " is in whitelist")
+		return true
+	end 
 	ngx.shared.whitelist_ip_cache:set(ip, "ko", 86400)
 	return false
 end