IP Whitelists for Frontend (with Docker- & Kubernetes-Provider Support)

[MaZderMind]

This PR fixes #816. It adds the ability to specify a List of CIDR Whitelists per Frontend. If Whitelists are configured and the Request-IP does not match one of them, it is aborted with a 403 Forbidden.

This obviously requires traefik to be directly mapped on public ips, if the incoming requests are nat'ed, ie through dockers publish-functionality or docker-compose ports, traefik will only see an ip of the internal network and won't be able to filter according to the source-ip.

This PR adds support for the Docker-Provider and the Kubernetes-Provider, but it should be trivial to extend the support to other Providers, I just have no test-setup for those. For both it parses the Annoatation/Label "traefik.frontend.whitelistSourceRange", for Kubernetes it also accepts the quasi-standard "ingress.kubernetes.io/whitelist-source-range". They can take a Comma-Separated List of CIDR Nets (IPv4 & v6), like this:

machine:
  image: katacoda/docker-http-server
  labels:
    - "traefik.backend=local-only-echo"
    - "traefik.frontend.whitelistSourceRange="10.42.0.0/16, 152.89.1.33/32, afed:be44::/16"
    - "traefik.frontend.rule=Host:local-only-echo.example.com"

or for Kubernetes:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: hello-minikube
  annotations:
    traefik.frontend.whitelistSourceRange: "10.42.0.0/16, 152.89.1.33/32, afed:be44::/16"
spec:
  rules:
  - host: echo.kube
    http:
      paths:
      - path: /
        backend:
          serviceName: hello-minikube
          servicePort: web

For File-Based Config, there's the whitelistSourceRange property, which takes an array of CIDR Net-Strings:

[frontends]
  [frontends.frontend2]
  backend = "backend1"
  passHostHeader = true
  priority = 10
  whitelistSourceRange = ["10.42.0.0/16", "152.89.1.33/32", "afed:be44::/16"]

The applied Whitelists are Displayed on the Dashboard:

For my own personal use and for easy testing, I pushed a Docker-Image based on this PR:
https://hub.docker.com/r/mazdermind/traefik/tags/

I'd be happy to receive some feedback, because Go is still fairly new.
Best Regards,
Peter

[timoreimann]

@MaZderMind thanks for your contribution!

I'll try to review the code. In the meantime, could you please run make fmt and commit your changes in order to please the style gods (and our CI)?

[MaZderMind]

@timoreimann Thank you, I'm already at it. Sorry for not checking this before pushing, I'm quite new to the Go Ecosystem

[timoreimann]

@MaZderMind no worries. The CI is our friend. :-)

[timoreimann]

Let's simplify and compare against a length of zero.

[timoreimann]

I suggest we use a dedicated function for the handler func as opposed to defining it inline.

If you define it on the IPWhitelister struct, you gain access to the configured whitelists.

[timoreimann]

Do not capitalize error strings.

Also, no need to mention that this is an error. (After all, we'll be returning an error.) Just say no whitelists provided. It's only at the call site where we should have something like

if err != nil {
  log.Warnf("failed to initialize white lists: %s", err)
}

Similar for other errors.

[timoreimann]

One extra capital A.

[timoreimann]

Please decapitalize Whitelist.

[timoreimann]

We can append directly into the struct field in line 31 to avoid this assignment.

[timoreimann]

s/ip/whitelist/ for naming consistency.

[timoreimann]

I'd place this log messages only after we are clear there won't be an error returned by NewIPWhitelister.

[timoreimann]

Please use log.Infof and apply the correct verb (%s I'd think).

[timoreimann]

Please use log.Fatalf.

[timoreimann]

This part needs to be covered by a test. I know it's tricky because we have zero tests yet, but we need to start somewhere.

For a starter, here are my tests from a different PR.

[MaZderMind]

The Server-Construction-Code is not really nice to be tested, is it? ;)
I extracted the configuration of the middleware into a smaller, easy to test function and tested that. I think this is the better approach instead of configuring a complete Server and trying to fiddle out which middlewares are configured.

[timoreimann]

The middleware needs testing. Once you have moved the inline function into a dedicated one, you can test it easily against an http/httptest server.

[Russell-IO]

This concept is purely awesome

[MaZderMind]

@timoreimann Thank you for your in-depth review. It'll take me some time to get through it, though.

[errm]

Could we add support for X-Forwarded-For here?

It would make sense for environments were there is some other load balancer in front of Treafik

[MaZderMind]

I'm sure we could. How would you see that working? Silently using the foremost Forwarded-For-Header instead of the original IP would AFAIS allow Spoofing any IP when not running behind a Proxy. An extra Annotation would be required to turn this on and off. I'd rather like to get this feature done first and then have another issue/PR for the follow-up discussion.

[timoreimann]

I'm with @MaZderMind: Support for the header would be great, but this PR can stand on its own without it.

[timoreimann]

hey @MaZderMind, did you have an opportunity yet to address the comments?

I believe the feature you've built is being asked for a few times per week. Would be awesome to have it. :-)

[MaZderMind]

Unfortunately i haven't found the time to work on. It's stil on my agenda, though.

[MaZderMind]

@timoreimann I addressed all your change requests (despite the one on removing the empty string-slices on which I commented above) and merged the current master into this PR.

[MaZderMind]

It seems, the build failed with "The job exceeded the maximum time limit for jobs, and has been terminated.". I'll try to retrigger.

[timoreimann]

Second round -- things are already looking pretty good. 👍

I need to apologize for a wrong advise I gave in my previous review: While error messages should not start with a capital letter, log messages indeed should (source).

I'm okay with keeping log messages non-capitalized though as our styling is fairly inconsistent anyway.

Sorry about that! 😞

[timoreimann]

Please group the non-stdlib imports below the stdlib ones, like here.

[timoreimann]

A map of strings to structs does not seem very idiomatic. Could you please use a simplified slice of structs and have one (the first) field be your test description?

Here's an example.

Same for other tests.

[MaZderMind]

In my mind the tests are grouped by name, just as you would do it when writing them down on paper. You would not have a Headline "1" with the title as Content under it. But I'm ok following your style guide and will change this :)

[timoreimann]

Just to add a bit more reasoning on my end: I agree with you that a map could make sense if every test had a name. However, the parameter you pass to t.Run() does not have to be static (as in our case) but could also be the result of some "dynamic computation". For instance, the tests for a math utility function could use the input parameters to define the description.

Looking at it from this angle, employing maps where a static name is needed and a slice of structs where it's not would lead to an inconsistent picture. I prefer tests to look boringly similar. :-)

[timoreimann]

You need to say e := e here to capture the range variable. See the Run a group of tests in parallel in the official sub-tests blog post and this Go wiki post (note that t.Parallel() creates goroutines under the hood).

Same for other tests.

[timoreimann]

By the way, what is e supposed to stand for? I immediately thought of error.

Maybe call it case or tc (for test case) instead?

[MaZderMind]

I copied that from the docker tests, but it is there as wrong as it is here. fixed

[timoreimann]

Error values should be comparable using ==.

[timoreimann]

One advantage of using sub-tests is that you can use t.Fatal*, and it will only bail out of the current test. So no need to to t.Error* + return.

[timoreimann]

Error messages should just be formatted using %v or %s (no plus sign) as they are meant for humans.

[timoreimann]

I'd still remove the empty slice from the test case definition and sanitize inside the test body; that is, check if the value is nil and assign the empty slice to it. That keeps the test cases clean and moves the sanitization logic into a central location.

As far as being able to easily spot what's wrong in case of a test failure, you should use something like go-spew's Sdump. We already use it at other occasions, so you should be able to use it in your tests too.

[timoreimann]

Convert to struct slices here too please.

[timoreimann]

I suppose a bit of extra prose might be nice that explains things like

• what does this feature do;
• how does it behave (including error cases); and
• what providers are supported.

[timoreimann]

Unused (except for printing)?

[MaZderMind]

@timoreimann I think i changed all the things requested. The build failed with a timeout bit I'm sure retriggering it would make it succeed.

[timoreimann]

Can we rename this to errMessage? err is usually reserved for variables of type error.

[timoreimann]

Couldn't we use assert.Equal() here?

[timoreimann]

This and this also seem like they would benefit from require.

[timoreimann]

Apart from the assert/require question, I have only two minor points left.

I think we're getting close to wrapping up. :-)

[timoreimann]

I just realize we don't have any dedicated tests for this function. Could you please add some? That way, we guarantee the function does what it should independent of any of its current users.

[timoreimann]

Yes, vendor management is awful. :-(

All hopes lie on golang/dep...

[MaZderMind]

@timoreimann any news on this? I might do another rebase and merge, but it's not a task I'm very keen on, not knowing if it will be merged then.

[timoreimann]

@MaZderMind we need another review for this PR for process reasons, and due to its mere size and impact. I think it's fine to refrain from rebasing until things have been finalized.

Thanks!

[emilevauge]

Awesome job @MaZderMind ❤️
Few comments, but overall, looks great :)

[emilevauge]

Shouldn't you use Debugf everywhere (like in https://github.com/containous/traefik/pull/1332/files#diff-251fc09a93a45584efee4df208e9373cR56)?

[MaZderMind]

In my opinion this is a more dangerous problem than the others, because a single wrong syntax IP will stop the complete filter from being applied, which possibly means your private frontend is now exposed to the internet.

[emilevauge]

Got it 👍

[emilevauge]

Just asking, is it a safe practice to give a reason on this kind of error? I wonder if an empty statusTextwould't be better 🤔

[MaZderMind]

In my opinion, security by obscurity is never good practice. Our service should be save, even if an attacker knows how we secured it.

[emilevauge]

But is there a need to print this text?

[MaZderMind]

no, not really a need. Other Webservers just repeat the HTTP Status-Code, that would probably be a string like "Forbidden". Generally I think being more verbose is better in case of debugging a problem, but If you want me to change that, I'll do so.

[emilevauge]

@MaZderMind IMHO, we should not use HTTP error messages for debugging: we already have logs for this :) As we don't set any custom error message in Traefik for now, I would prefer to just remove it. @timoreimann WDYT?

[timoreimann]

I'm also inclined to say there's no need to give away too much information, so either leave it empty or stick with "Forbidden" -- whatever is more consistent with Traefik's current behavior.

[emilevauge]

Then, we remove the text :) We will be able to customize the error page in the future.

[emilevauge]

s/whitelistSourceRangs/whitelistSourceRanges

[MaZderMind]

ouch, will fix that

[ldez]

Due to SemaphoreCI, I close and reopen the PR.

[emilevauge]

Thanks a lot @MaZderMind !
LGTM
(@ldez will change the status text)

[MaZderMind]

@emilevauge Sorry for not being responsive with this and previous changes. It's only one small side project for me. Thanks to @ldez for jumping in!