Blocking based on IP Blocks

[David Santhosh]

How can I block/verify requests based on IP blocks? I want to check if a given IP address is within a whitelisted IP block; allow or deny based on result. Looks nginx only exposes ngx.var.remote_addr and binary_addr is there any module to do this with Lua extension.

[Thibault Charbonnier]

Hi,

Have you looked into lua-resty-iputils? It comes with a minimal example:

https://github.com/hamishforbes/lua-resty-iputils

[Robert Paprocki]

You probably don't need to do this with Lua; nginx's allow/deny directive support CIDR blocks.

You may also want to see https://groups.google.com/forum/#!topic/openresty-en/G916sAMSOPY for a duplicate discussion.

On Wed, Jan 20, 2016 at 11:30 AM, David Santhosh <davi...@gmail.com> wrote:

How can I block/verify requests based on IP blocks? I want to check if a given IP address is within a whitelisted IP block; allow or deny based on result. Looks nginx only exposes ngx.var.remote_addr and binary_addr is there any module to do this with Lua extension.

--
You received this message because you are subscribed to the Google Groups "openresty-en" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openresty-en...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[davidsnt]

Thank you Thibault and Robert, links looks useful. But still think doing a compare with incoming ip address needs some work.

--David

[Robert Paprocki]

Can you explain your use case a little more? What functionality is nginx/ngx-lua missing out of the box that you need? I'm curious as to what you're trying to accomplish. Can you provide a simple code example for what you're looking for?

[davidsnt]

Sure, I have a list of whitelist ip blocks and need to check if the incoming request IP belongs to one of these IP blocks and act on it, so for example the corporate 1's ip block is 192.168.1.1 belongs to 192.168.1.0/24 then redirect to corp1.domain.com and next for corporate 2 192.178.1.1 redirect it to corp2.domain.com and so on...

--David

[Robert Paprocki]

Sounds like a good use case for the lua-resty-iputils Thibault linked, with an access_by_lua handler. Happy coding!

[Ming]

you can use ngx_http_geo_module to check ip list, and use lua code judge redirect to what server.

[irt_m...@ntworkers.com]

Hi David,

If you have to use IP block,

maybe you should write some calculate function with hexadecimal.

IPv4 can convert hexadecimal. Then you can compare IP easily.

This is just my idea.

ex.

- 192.168.1.0/24 range is 192.168.1.0 - 192.168.1.255

- calculate first(min) IP and last(max) IP, c0a80100 - c0a801ff

- you can also convert ngx.var.remote_addr to hexadecimal

- then you can calc coming ip is in range c0a80100 - c0a801ff or not

BTW I understand your use case and this idea is not useful for your case.

If you use my idea, you need to convert all whitelist IP block and compare. It is high cost.

Another idea is using NoSQL like memcached or just use ngx.shared.DICT.

ex.

- 192.168.1.0/24 range is 192.168.1.0 - 192.168.1.255

- put all IP address in range to NoSQL like "{key: 192.168.1.0, value: true}", "{key: 192.168.1.1, value: true}", "{key: 192.168.1.2, value: true}" ... "{key: 192.168.1.255, value: true}"

*note* this is not nginx's work. you should prepare some client program for do that.

- Then you can compare very simple. you just ask to NoSQL that key: ngx.var.remote_addr is exist or not.

Sorry for my poor English.

2016年1月21日木曜日 4時30分24秒 UTC+9 David Santhosh:

[Hamish Forbes]

Hi,

This is pretty much exactly what lua-resty-iputils will do.

You'll just need to create a couple of tables listing your CIDRs and apply a tiny bit of logic in Lua to find out which set the remote address is in and perform a redirect.

What is it that you feel is missing?

Hamish

[irt_m...@ntworkers.com]

Hi Hamish,

Oops, I didn't know your module sorry.

To David,

Hamish is right. Maybe lua-resty-iputils module is completely cover your need.

But, if you have hundred, thousand whitelist IP blocks or

if you want to update whitelist table dynamically,

there is worth considering for my 2nd idea https://groups.google.com/d/msg/openresty-en/QddXoARyMtE/zB_QqVj-DQAJ.

ex.)

local dict = ngx.shared.whitelist

if dict:get(ngx.var.remote_addr) then

  # something you need

  return

end

Anyway, if you need to update whitelist dynamically,

you have to think about nginx restart.

2016年1月21日木曜日 18時57分35秒 UTC+9 Hamish Forbes:

[Hamish Forbes]

Using the shared dict like that you would have to have an entry for every IP in a range though.

Or you'd have to parse the CIDR from a string everytime.

Something to be aware of at least.

[irt_m...@ntworkers.com]

To Hamish,

Yes, just in case it need entry for every IP in a range.

If it use redis or memcached Instead of a shared dict,

parse and put it them are not nginx's task. it is just another client program's task.

So, nginx can be simple I think.

But I like your module. Awesome.

To David,

If there are multiple servers, data like a whitelist need to share each other.

If you put ip list in the lua code directly, to update them is a little bit troublesome.

So, whitelist data should be outside of the nginx I recommend.

2016年1月21日木曜日 20時14分33秒 UTC+9 Hamish Forbes:

[davidsnt]

Thank you for your input's guys, very helpful.

--David

[Nelson, Erik - 2]

What's the current best practice for efficient/fast serializing of data, to disk or otherwise? JSON, protocol buffers, flat buffers?

Thanks

Erik

----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.

[Ming]

I think it's depends on your data and size.

maybe you can test your  data compare

    https://github.com/guanlan/lua-cmsgpack

    https://github.com/cloudflare/lua-capnproto

with JSON.