[FilterByClientIpPlugin] Implement the `whitelist` logic (#1127)

* Implement the "whitelist" logic for the plugin "FilterByClientIpPlugin" * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Fix lint errors for the plugin FilterByClientIpPlugin Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Abhinav Singh <126065+abhinavsingh@users.noreply.github.com>
2022-04-20 18:42:58 +02:00 · 2022-04-20 18:42:58 +02:00 · 1980a0953d
parent 798f4280cd
commit 1980a0953d
2 changed files with 24 additions and 6 deletions
--- a/README.md
+++ b/README.md
@ -2469,6 +2469,8 @@ options:
  --filtered-upstream-hosts FILTERED_UPSTREAM_HOSTS
                        Default: Blocks Facebook. Comma separated list of IPv4
                        and IPv6 addresses.
+  --filtered-client-ips-mode FILTERED_CLIENT_IPS_MODE
+                        Default: "blacklist". Can be either "whitelist" (restrict access to specific IPs) or "blacklist" (allow everything except specific IPs).
  --filtered-client-ips FILTERED_CLIENT_IPS
                        Default: 127.0.0.1,::1. Comma separated list of IPv4
                        and IPv6 addresses.
--- a/proxy/plugin/filter_by_client_ip.py
+++ b/proxy/plugin/filter_by_client_ip.py
@ -21,6 +21,14 @@ from ..http.parser import HttpParser
 from ..http.exception import HttpRequestRejected


+flags.add_argument(
+    '--filtered-client-ips-mode',
+    type=str,
+    default='blacklist',
+    help='Default: blacklist.  Can be either "whitelist" (restrict access to specific IPs)'
+    'or "blacklist" (allow everything except specific IPs).',
+)
+
 flags.add_argument(
    '--filtered-client-ips',
    type=str,
@ -30,15 +38,23 @@ flags.add_argument(


 class FilterByClientIpPlugin(HttpProxyBasePlugin):
-    """Drop traffic by inspecting incoming client IP address."""
+    """Allow only (whitelist) or Drop only (blacklist) traffic by inspecting incoming client IP address."""

    def before_upstream_connection(
            self, request: HttpParser,
    ) -> Optional[HttpParser]:
        assert not self.flags.unix_socket_path and self.client.addr
-        if self.client.addr[0] in self.flags.filtered_client_ips.split(','):
-            raise HttpRequestRejected(
-                status_code=httpStatusCodes.I_AM_A_TEAPOT,
-                reason=b'I\'m a tea pot',
-            )
+        assert self.flags.filtered_client_ips_mode in ('blacklist', 'whitelist')
+        if self.flags.filtered_client_ips_mode == 'blacklist':
+            if self.client.addr[0] in self.flags.filtered_client_ips.split(','):
+                raise HttpRequestRejected(
+                    status_code=httpStatusCodes.I_AM_A_TEAPOT,
+                    reason=b'I\'m a tea pot',
+                )
+        elif self.flags.filtered_client_ips_mode == 'whitelist':
+            if self.client.addr[0] not in self.flags.filtered_client_ips.split(','):
+                raise HttpRequestRejected(
+                    status_code=httpStatusCodes.I_AM_A_TEAPOT,
+                    reason=b'I\'m a tea pot',
+                )
        return request