diff options
| author | chrislusf <chris.lu@gmail.com> | 2015-09-05 00:09:30 -0700 |
|---|---|---|
| committer | chrislusf <chris.lu@gmail.com> | 2015-09-05 00:09:30 -0700 |
| commit | 1e78b8bc28eadcc181006cd6bbf218d1539a24bf (patch) | |
| tree | 7ae22ce75576cfcacd1b4f945fed9173ce80e028 /go/security | |
| parent | 91db227b27d45389e982a945d947bffa6e21812f (diff) | |
| parent | 2a777a970cf5fde01893340d3281214839e622d6 (diff) | |
| download | seaweedfs-1e78b8bc28eadcc181006cd6bbf218d1539a24bf.tar.xz seaweedfs-1e78b8bc28eadcc181006cd6bbf218d1539a24bf.zip | |
Merge pull request #187 from skx/master
Allow whitelisting by CIDR range, not just literally.
Diffstat (limited to 'go/security')
| -rw-r--r-- | go/security/guard.go | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/go/security/guard.go b/go/security/guard.go index bde938dba..b93845448 100644 --- a/go/security/guard.go +++ b/go/security/guard.go @@ -4,6 +4,7 @@ import ( "errors" "fmt" "net" + "regexp" "net/http" "github.com/chrislusf/seaweedfs/go/glog" @@ -88,6 +89,26 @@ func (g *Guard) checkWhiteList(w http.ResponseWriter, r *http.Request) error { host, _, err := net.SplitHostPort(r.RemoteAddr) if err == nil { for _, ip := range g.whiteList { + + // If the whitelist entry contains a "/" it + // is a CIDR range, and we should check the + // remote host is within it + match, _ := regexp.MatchString("/", ip) + if ( match ) { + _, cidrnet, err := net.ParseCIDR(ip) + if err != nil { + panic(err) + } + remote := net.ParseIP(host) + if cidrnet.Contains(remote) { + return nil + } + } + + + // + // Otherwise we're looking for a literal match. + // if ip == host { return nil } |