Use case
As a user I want to restrict specific services only to VPN IPs, w/o relying only on DNS resolutions
Current limitations
Currently in order to achieve that I need to:
lists:
allowed_ips:
type: Ip
file: /etc/pingoo/allowed_ips.csv
restrict_internal_routes:
expression: |
!lists["allowed_ips"].contains(client.ip) && http_request.host == "service.private"
actions:
- action: block
So that I have additional protection layer, preventing sneaky bypasses like
curl -i -k https://foo.com -H "host: service.private"
The issue is that for IP addresses for range 10.2.0.0/16 I need to generate /etc/pingoo/allowed_ips.csv which contains 65536 lines that occupies additional memory.
Proposed improvement
Allow defining IP whitelist with CIDR notation, e.g. sth like this:
- lists:
- allowed_ips:
- type: Ip
- file: /etc/pingoo/allowed_ips.csv
restrict_internal_routes:
+ cidr: 10.2.0.0/16
expression: |
- !lists["allowed_ips"].contains(client.ip) && http_request.host == "service.private"
+ http_request.host == "service.private"
actions:
- - action: block
+ - action: allow
Use case
As a user I want to restrict specific services only to VPN IPs, w/o relying only on DNS resolutions
Current limitations
Currently in order to achieve that I need to:
So that I have additional protection layer, preventing sneaky bypasses like
curl -i -k https://foo.com -H "host: service.private"The issue is that for IP addresses for range
10.2.0.0/16I need to generate/etc/pingoo/allowed_ips.csvwhich contains 65536 lines that occupies additional memory.Proposed improvement
Allow defining IP whitelist with CIDR notation, e.g. sth like this: