add bypass header config option to maxmind_acl plugin#13160
Open
traeak wants to merge 1 commit into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a configurable request-header bypass path to the experimental maxmind_acl remap plugin so selected requests can skip MaxMind ACL evaluation.
Changes:
- Adds bypass configuration parsing for
maxmind.bypass.headerand optionalvalue. - Checks the configured bypass header during
TSRemapDoRemapbefore ACL evaluation. - Documents the new bypass configuration block.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
plugins/experimental/maxmind_acl/mmdb.h |
Declares bypass configuration state and helper methods. |
plugins/experimental/maxmind_acl/mmdb.cc |
Loads bypass config and implements request-header bypass matching. |
plugins/experimental/maxmind_acl/maxmind_acl.cc |
Skips ACL evaluation when bypass matching succeeds. |
doc/admin-guide/plugins/maxmind_acl.en.rst |
Adds user-facing documentation for bypass configuration. |
Comment on lines
+565
to
+567
| // presence-only check | ||
| Dbg(dbg_ctl, "check_bypass: bypass header '%s' present", _bypass_header.c_str()); | ||
| bypassed = true; |
Comment on lines
+569
to
+576
| int val_len = 0; | ||
| const char *val = TSMimeHdrFieldValueStringGet(mbuf, hdr_loc, field_loc, 0, &val_len); | ||
| if (val != nullptr && static_cast<int>(_bypass_header_value.size()) == val_len && | ||
| _bypass_header_value.compare(0, std::string::npos, val, val_len) == 0) { | ||
| Dbg(dbg_ctl, "check_bypass: bypass header '%s' matched value '%s'", _bypass_header.c_str(), _bypass_header_value.c_str()); | ||
| bypassed = true; | ||
| } else { | ||
| Dbg(dbg_ctl, "check_bypass: bypass header present but value did not match"); |
| return false; | ||
| } | ||
|
|
||
| TSMLoc field_loc = TSMimeHdrFieldFind(mbuf, hdr_loc, _bypass_header.c_str(), static_cast<int>(_bypass_header.size())); |
Comment on lines
+121
to
+126
| An optional ``bypass`` field allows a request to skip all geo checks entirely and pass through | ||
| unmodified. If the specified request header is present, the plugin returns immediately without | ||
| performing any country, IP, regex, or anonymous evaluation. | ||
|
|
||
| ``header`` | ||
| Required sub-key. The name of the HTTP request header to look for, e.g. ``@GcdTaBypassGeo``. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds support to use an optional header and value to bypass running this plugin in the TSRemapDoRemap stage.
maxmind config yaml looks like:
If this option is not provided then the plugin runs as normal in enforcing mode.
'value' is optional. If missing only the presence of the header is checked.a