Skip to content
This repository has been archived by the owner on Apr 14, 2024. It is now read-only.

Enable client_ip (ACL) support for Handles #60

Closed
Monviech opened this issue Dec 23, 2023 · 0 comments · Fixed by #62
Closed

Enable client_ip (ACL) support for Handles #60

Monviech opened this issue Dec 23, 2023 · 0 comments · Fixed by #62
Assignees
@Monviech
Labels
enhancement New feature or request low priority Low Priority

Comments

@Monviech
Copy link
Owner

Monviech commented Dec 23, 2023
edited

Example Usecase:

  • You have a handle and you want to limit access to certain IP ranges, for example private IP ranges. If your OPNsense Firewall only has one public IP address, this can't be configured by using firewall rules.

  • An ACL will get a named handler, with an UUID, just as subdomains do now.

  • The ACLs will get their own menu in the GUI.

  • Each ACL will be a tokenized field where a number of IPv4 or IPv6 addresses or cidr ranges can be input.

  • Each ACL will get an additional checkbox to invert the match if needed.

Then if enabled, they will create something like this:

Example configurations for exact domains:

example.com {
        @29978007-445d-4bcc-a894-23241asd1cfc {
                client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.1/8
        }
        handle @29978007-445d-4bcc-a894-23241asd1cfc {
                handle {
                        reverse_proxy 172.16.0.173 {
                        }
                }
        }
}

Example configuration for subdomains with TLS:

*.example.com {
        @cdd470d0-525d-4c93-b2a8-5fa4f476942f {
                host foo.example.com
        }
        handle @cdd470d0-525d-4c93-b2a8-5fa4f476942f {
                @29978007-445d-4bcc-a894-23241asd1cfc {
                        client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.1/8
                }
                handle @29978007-445d-4bcc-a894-23241asd1cfc {
                        handle {
                                reverse_proxy 172.16.0.173 {
                                        transport http {
                                                tls
                                        }
                                }
                        }
                }
        }
}

Example with not matcher:

example.com {
        @29978007-445d-4bcc-a894-23241asd1cfc {
                not client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.1/8
        }
        handle @29978007-445d-4bcc-a894-23241asd1cfc {
                handle {
                        reverse_proxy 172.16.0.173 {
                        }
                }
        }
}
@Monviech Monviech added enhancement New feature or request low priority Low Priority labels Dec 23, 2023
@Monviech Monviech self-assigned this Dec 23, 2023
@Monviech Monviech changed the title Enable ACL support for Reverse Proxy Handles Enable ACL support for Handles Dec 23, 2023
@Monviech Monviech changed the title Enable ACL support for Handles Enable client_ip (ACL) support for Handles Dec 23, 2023
@Monviech Monviech linked a pull request Dec 26, 2023 that will close this issue
Accesslist (client_ip and trusted_proxies added) #62
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Monviech Monviech

Labels
enhancement New feature or request low priority Low Priority
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Accesslist (client_ip and trusted_proxies added) Monviech/os-caddy-plugin
1 participant
@Monviech