-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding express-ipfilter for ip whitelist support with environment variable IP_WHITELIST #13
base: master
Are you sure you want to change the base?
Conversation
…tting an environment variable IP_WHITELIST
Thanks for the contribution! It looks like @sloydsf is an internal user so signing the CLA is not required. However, we need to confirm this. |
@@ -47,6 +48,21 @@ if (process.env.FORCE_HTTPS === "true") { | |||
app.use(enforce.HTTPS({trustProtoHeader: true})); | |||
} | |||
|
|||
if (process.env.IP_WHITELIST) { | |||
let clientIp = function(req, res) { | |||
return req.headers['x-forwarded-for'] ? (req.headers['x-forwarded-for']).split(',').pop() : "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should indeed work for heroku deployment, but can't validate locally well because there is no x-forwarded-for header set. I think this should change to look at the host header if x-forwarded-for is not set. And include 'localhost' in the whitelist.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, I had assumed this was Heroku only.
I'll update it to be:
if(x-forwarded-for header) return last entry in x-forwarded-for header
else use tcp/ip remote_ip
app.use( | ||
ipfilter(whitelist_ips, { | ||
detectIp: clientIp, | ||
forbidden: 'You are not authorized to access this page.', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The error handling is the only tricky thing with this, and express in general. Right now this message is not displayed, but instead an internal error message is shown alone on a blank page. May need special handling for the IpDeniedError in our normal error handler.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, I the Opts object you are passing here does not match the interface given by express-ipfilter:
export interface IpFilterOptions {
detectIp?: (request: express.Request) => Ip;
excluding?: Route[];
log?: boolean;
logLevel?: 'all' | 'deny' | 'allow';
mode?: 'deny' | 'allow';
// `@types/proxy-addr` does not export the `trust` parameter type
trustProxy?: any;
}
@sloydsf - What happened to just doing the IP whitelisting on the Heroku private spaces level? Was that not the right approach? |
Using new package express-ipfilter.
Adding ability to define IP_WHITELIST as an environment variable.
If the variable is not defined it should not impact the existing behavior outside of requiring the module.
Example: IP_WHITELIST=1.2.3.4/32,10.0.0.0/24