Browse Source

Merge pull request #187 from skx/master

Allow whitelisting by CIDR range, not just literally.
pull/202/head
chrislusf 9 years ago
parent
commit
1e78b8bc28
  1. 21
      go/security/guard.go

21
go/security/guard.go

@ -4,6 +4,7 @@ import (
"errors" "errors"
"fmt" "fmt"
"net" "net"
"regexp"
"net/http" "net/http"
"github.com/chrislusf/seaweedfs/go/glog" "github.com/chrislusf/seaweedfs/go/glog"
@ -88,6 +89,26 @@ func (g *Guard) checkWhiteList(w http.ResponseWriter, r *http.Request) error {
host, _, err := net.SplitHostPort(r.RemoteAddr) host, _, err := net.SplitHostPort(r.RemoteAddr)
if err == nil { if err == nil {
for _, ip := range g.whiteList { for _, ip := range g.whiteList {
// If the whitelist entry contains a "/" it
// is a CIDR range, and we should check the
// remote host is within it
match, _ := regexp.MatchString("/", ip)
if ( match ) {
_, cidrnet, err := net.ParseCIDR(ip)
if err != nil {
panic(err)
}
remote := net.ParseIP(host)
if cidrnet.Contains(remote) {
return nil
}
}
//
// Otherwise we're looking for a literal match.
//
if ip == host { if ip == host {
return nil return nil
} }

Loading…
Cancel
Save