IPStrategy for selecting IP in whitelist

Author: juliens

anonymize/anonymize_config_test.go

@@ -80,8 +80,12 @@ func TestDo_globalConfiguration(t *testing.T) {
 					TrustForwardHeader: true,
 				},
 			},
-			WhitelistSourceRange: []string{"foo WhitelistSourceRange 1", "foo WhitelistSourceRange 2", "foo WhitelistSourceRange 3"},
-			Compress:             &configuration.Compress{},
+			WhiteList: &types.WhiteList{
+				SourceRange: []string{
+					"127.0.0.1/32",
+				},
+			},
+			Compress: &configuration.Compress{},
 			ProxyProtocol: &configuration.ProxyProtocol{
 				TrustedIPs: []string{"127.0.0.1/32", "192.168.0.1"},
 			},
@@ -125,8 +129,12 @@ func TestDo_globalConfiguration(t *testing.T) {
 					TrustForwardHeader: true,
 				},
 			},
-			WhitelistSourceRange: []string{"fii WhitelistSourceRange 1", "fii WhitelistSourceRange 2", "fii WhitelistSourceRange 3"},
-			Compress:             &configuration.Compress{},
+			WhiteList: &types.WhiteList{
+				SourceRange: []string{
+					"127.0.0.1/32",
+				},
+			},
+			Compress: &configuration.Compress{},
 			ProxyProtocol: &configuration.ProxyProtocol{
 				TrustedIPs: []string{"127.0.0.1/32", "192.168.0.1"},
 			},

autogen/gentemplates/gen.go

@@ -108,7 +108,7 @@ func (gc *GlobalConfiguration) SetEffectiveConfiguration(configFile string) {
 	if len(gc.EntryPoints) == 0 {
 		gc.EntryPoints = map[string]*EntryPoint{"http": {
 			Address:          ":80",
-			ForwardedHeaders: &ForwardedHeaders{Insecure: true},
+			ForwardedHeaders: &ForwardedHeaders{},
 		}}
 		gc.DefaultEntryPoints = []string{"http"}
 	}
@@ -126,18 +126,7 @@ func (gc *GlobalConfiguration) SetEffectiveConfiguration(configFile string) {
 		entryPoint := gc.EntryPoints[entryPointName]
 		// ForwardedHeaders must be remove in the next breaking version
 		if entryPoint.ForwardedHeaders == nil {
-			entryPoint.ForwardedHeaders = &ForwardedHeaders{Insecure: true}
-		}
-
-		if len(entryPoint.WhitelistSourceRange) > 0 {
-			log.Warnf("Deprecated configuration found: %s. Please use %s.", "whiteListSourceRange", "whiteList.sourceRange")
-
-			if entryPoint.WhiteList == nil {
-				entryPoint.WhiteList = &types.WhiteList{
-					SourceRange: entryPoint.WhitelistSourceRange,
-				}
-				entryPoint.WhitelistSourceRange = nil
-			}
+			entryPoint.ForwardedHeaders = &ForwardedHeaders{}
 		}
 	}
 

configuration/configuration.go

@@ -2,6 +2,7 @@ package configuration
 
 import (
 	"fmt"
+	"strconv"
 	"strings"
 
 	"github.com/containous/traefik/log"
@@ -11,20 +12,19 @@ import (
 
 // EntryPoint holds an entry point configuration of the reverse proxy (ip, port, TLS...)
 type EntryPoint struct {
-	Address              string
-	TLS                  *tls.TLS          `export:"true"`
-	Redirect             *types.Redirect   `export:"true"`
-	Auth                 *types.Auth       `export:"true"`
-	WhitelistSourceRange []string          // Deprecated
-	WhiteList            *types.WhiteList  `export:"true"`
-	Compress             *Compress         `export:"true"`
-	ProxyProtocol        *ProxyProtocol    `export:"true"`
-	ForwardedHeaders     *ForwardedHeaders `export:"true"`
+	Address          string
+	TLS              *tls.TLS          `export:"true"`
+	Redirect         *types.Redirect   `export:"true"`
+	Auth             *types.Auth       `export:"true"`
+	WhiteList        *types.WhiteList  `export:"true"`
+	Compress         *Compress         `export:"true"`
+	ProxyProtocol    *ProxyProtocol    `export:"true"`
+	ForwardedHeaders *ForwardedHeaders `export:"true"`
+	ClientIPStrategy *types.IPStrategy `export:"true"`
 }
 
 // Compress contains compress configuration
-type Compress struct {
-}
+type Compress struct{}
 
 // ProxyProtocol contains Proxy-Protocol configuration
 type ProxyProtocol struct {
@@ -68,11 +68,6 @@ func (ep *EntryPoints) Type() string {
 func (ep *EntryPoints) Set(value string) error {
 	result := parseEntryPointsConfiguration(value)
 
-	var whiteListSourceRange []string
-	if len(result["whitelistsourcerange"]) > 0 {
-		whiteListSourceRange = strings.Split(result["whitelistsourcerange"], ",")
-	}
-
 	var compress *Compress
 	if len(result["compress"]) > 0 {
 		compress = &Compress{}
@@ -84,29 +79,42 @@ func (ep *EntryPoints) Set(value string) error {
 	}
 
 	(*ep)[result["name"]] = &EntryPoint{
-		Address:              result["address"],
-		TLS:                  configTLS,
-		Auth:                 makeEntryPointAuth(result),
-		Redirect:             makeEntryPointRedirect(result),
-		Compress:             compress,
-		WhitelistSourceRange: whiteListSourceRange,
-		WhiteList:            makeWhiteList(result),
-		ProxyProtocol:        makeEntryPointProxyProtocol(result),
-		ForwardedHeaders:     makeEntryPointForwardedHeaders(result),
+		Address:          result["address"],
+		TLS:              configTLS,
+		Auth:             makeEntryPointAuth(result),
+		Redirect:         makeEntryPointRedirect(result),
+		Compress:         compress,
+		WhiteList:        makeWhiteList(result),
+		ProxyProtocol:    makeEntryPointProxyProtocol(result),
+		ForwardedHeaders: makeEntryPointForwardedHeaders(result),
+		ClientIPStrategy: makeIPStrategy("clientipstrategy", result),
 	}
 
 	return nil
 }
 
 func makeWhiteList(result map[string]string) *types.WhiteList {
-	var wl *types.WhiteList
 	if rawRange, ok := result["whitelist_sourcerange"]; ok {
-		wl = &types.WhiteList{
-			SourceRange:      strings.Split(rawRange, ","),
-			UseXForwardedFor: toBool(result, "whitelist_usexforwardedfor"),
+		return &types.WhiteList{
+			SourceRange: strings.Split(rawRange, ","),
+			IPStrategy:  makeIPStrategy("whitelist_ipstrategy", result),
 		}
 	}
-	return wl
+	return nil
+}
+
+func makeIPStrategy(prefix string, result map[string]string) *types.IPStrategy {
+	depth := toInt(result, prefix+"_depth")
+	excludedIPs := result[prefix+"_excludedips"]
+
+	if depth == 0 && len(excludedIPs) == 0 {
+		return nil
+	}
+
+	return &types.IPStrategy{
+		Depth:       depth,
+		ExcludedIPs: strings.Split(excludedIPs, ","),
+	}
 }
 
 func makeEntryPointAuth(result map[string]string) *types.Auth {
@@ -184,15 +192,14 @@ func makeEntryPointProxyProtocol(result map[string]string) *ProxyProtocol {
 	}
 
 	if proxyProtocol != nil && proxyProtocol.Insecure {
-		log.Warn("ProxyProtocol.Insecure:true is dangerous. Please use 'ProxyProtocol.TrustedIPs:IPs' and remove 'ProxyProtocol.Insecure:true'")
+		log.Warn("ProxyProtocol.insecure:true is dangerous. Please use 'ProxyProtocol.TrustedIPs:IPs' and remove 'ProxyProtocol.insecure:true'")
 	}
 
 	return proxyProtocol
 }
 
 func makeEntryPointForwardedHeaders(result map[string]string) *ForwardedHeaders {
-	// TODO must be changed to false by default in the next breaking version.
-	forwardedHeaders := &ForwardedHeaders{Insecure: true}
+	forwardedHeaders := &ForwardedHeaders{}
 	if _, ok := result["forwardedheaders_insecure"]; ok {
 		forwardedHeaders.Insecure = toBool(result, "forwardedheaders_insecure")
 	}
@@ -300,3 +307,14 @@ func toBool(conf map[string]string, key string) bool {
 	}
 	return false
 }
+
+func toInt(conf map[string]string, key string) int {
+	if val, ok := conf[key]; ok {
+		intVal, err := strconv.Atoi(val)
+		if err != nil {
+			return 0
+		}
+		return intVal
+	}
+	return 0
+}