caddy-geofence

A caddy module for IP geofencing your caddy web server using https://ipbase.com/

• caddy-geofence
  • Usage
    • Build with caddy
    • Docker
  • Caddyfile example
  • Development
    • Run
    • Build

Usage

1. For an IP that is not within the geofence, 403 will be returned on the matching route.
2. An API token from ipbase.com is required to run this module.

Caching

This module by default will use a configurable in-memory cache, should you need an external/persistent cache, the module supports redis. See the caddyfile exmaple below for how to enable.

Free tier includes 150 requests per month

Build with caddy

# build module with caddy
xcaddy build --with github.com/circa10a/caddy-geofence

Docker

docker run --net host -v /your/Caddyfile:/etc/caddy/Caddyfile -e IPBASE_API_TOKEN -p 80:80 -p 443:443 circa10a/caddy-geofence

Caddyfile example

{
	debug
	order geofence before respond
}

:80

route /* {
	geofence {
		# cache_ttl is the duration to store ip addresses and if they are within proximity or not to increase performance
		# Cache for 7 days, valid time units are "ms", "s", "m", "h"
		# Not specifying a TTL sets no expiration on cached items and will live until restart
		cache_ttl 168h

		# ipbase.com API token, this example reads from an environment variable
		ipbase_api_token {$IPBASE_API_TOKEN}

		# radius is the distance of the geofence in kilometers
		# If not supplied, will default to 0.0 kilometers
		# 1.0 => 1.0 kilometers
		radius 1.0

		# allow_private_ip_addresses is a boolean for whether or not to allow private ip ranges
		# such as 192.X, 172.X, 10.X, [::1] (localhost)
		# false by default
		# Some cellular networks doing NATing with 172.X addresses, in which case, you may not want to allow
		allow_private_ip_addresses true

		# allowlist is a list of IP addresses that will not be checked for proximity and will be allowed to access the server
		allowlist 206.189.205.251 206.189.205.252

		# status_code is the HTTP response code that is returned if IP address is not within proximity. Default is 403
		status_code 403

		# redis_enabled disables the in-memory cache and will connect to a remote redis instance
		# default is false
		redis_enabled true
		# the <host>:<port> of the remote redis instance
		# default is localhost:6379
		redis_addr redis:6379
		# redis_username is the username to connect to a secured redis instance
		# default is ""
		redis_username user
		# redis_password is the password to connect to a secured redis instance
		# default is ""
		redis_password password
		# redis_db is the id of the redis db to connect to to store cache ip addresses
		# default is 0
		redis_db 0
	}
}

log {
	output stdout
}

Development

Requires xcaddy to be installed

Run

export IPBASE_API_TOKEN=<token>
make run

Build

make build

Run redis enabled stack

export IPBASE_API_TOKEN=<token>
make redis