Started IP whitelist, but defunct because of docker swarm obfuscating real IP

2025-12-18 21:25:06 +01:00 · 2018-10-16 12:55:02 -04:00
parent 2a7ca27600
commit 208d61361c
6 changed files with 42 additions and 1 deletions
--- a/api_auth_docker/Dockerfile
+++ b/api_auth_docker/Dockerfile
@@ -15,6 +15,7 @@ COPY keys.properties /etc/nginx/conf.d
 COPY api.properties /etc/nginx/conf.d
 COPY trace.sh /etc/nginx/conf.d
 COPY tests.sh /etc/nginx/conf.d
 COPY ip-whitelist.conf /etc/nginx/conf.d
 RUN chmod +x /etc/nginx/conf.d/auth.sh entrypoint.sh
--- a/api_auth_docker/README.md
+++ b/api_auth_docker/README.md
@@ -34,6 +34,19 @@ kapi_id="006";kapi_key="19e121b698014fac638f772c4ff5775a738856bf6cbdef0dc8897105
 You can have multiple keys, but be aware that this container has **not** been built to support thousands of API keys!  **Cyphernode should be used locally**, not publicly as a service.
 ## IP Addresses Whitelist (**do not use for now**)
 **Docker Swarm obfuscates real client IP, this feature is not ready for now**
 You can have an IP whitelist policy, denying everything except the explicit IP addresses you need.  Edit ip-whitelist.conf file:
 ```conf
 # Leave commented if you don't want to use IP whitelist
 # List of white listed IP addresses...
 #allow 45.56.67.78;
 #deny all;
 ```
 ## SSL
 If you already have your certificates and keystores infra, you already know what to do and your can skip this section.  Put your files in the bound volume (~/cyphernode-ssl/ see volume path in docker-compose.yml).
--- a/api_auth_docker/auth.sh
+++ b/api_auth_docker/auth.sh
@@ -39,7 +39,14 @@ verify_sign()
  if [ ${exp} -gt ${current} ]; then
    trace "[verify_sign] Not expired, let's validate signature"
    local id=$(echo ${payload} | jq ".id" | tr -d '"')
-    trace "[verify_sign] id=${id}"
+		trace "[verify_sign] id=${id}"
 		# Check for code injection
 		# id will usually be an int, but could be alphanum... nothing else
 		if ! [[ $id =~ '^[A-Za-z0-9]$']]; then
 			trace "[verify_sign] Potential code injection, exiting"
 			return 1
 		fi
    # It is so much faster to include the keys here instead of grep'ing the file for key.
    . ./keys.properties
@@ -78,6 +85,14 @@ verify_group()
  local id=${1}
  local action=${REQUEST_URI:1}
 	trace "[verify_group] action=${action}"
 	# Check for code injection
 	# action could be alphanum... nothing else
 	if ! [[ $action =~ '^[A-Za-z]$']]; then
 		trace "[verify_group] Potential code injection, exiting"
 		return 1
 	fi
  # It is so much faster to include the keys here instead of grep'ing the file for key.
  . ./api.properties
--- a/api_auth_docker/default-ssl.conf
+++ b/api_auth_docker/default-ssl.conf
@@ -2,6 +2,8 @@ server {
  listen       443 ssl;
  server_name  localhost;
  include /etc/nginx/conf.d/ip-whitelist.conf;
  ssl_certificate /etc/ssl/certs/cert.pem;
  ssl_certificate_key /etc/ssl/private/key.pem;
--- a/api_auth_docker/default.conf
+++ b/api_auth_docker/default.conf
@@ -2,6 +2,8 @@ server {
  listen       80;
  server_name  localhost;
  include /etc/nginx/conf.d/ip-whitelist.conf;
  location / {
    auth_request /auth;
    proxy_pass http://cyphernode:8888;
--- a/api_auth_docker/ip-whitelist.conf
+++ b/api_auth_docker/ip-whitelist.conf
@@ -0,0 +1,8 @@
 # Leave commented if you don't want to use IP whitelist
 #real_ip_header X-Forwarded-For;
 #set_real_ip_from 0.0.0.0/0;
 # List of white listed IP addresses...
 #allow 45.56.67.78;
 #deny all;