diff options
| author | Steve Kemp <steve@steve.org.uk> | 2015-09-05 10:00:13 +0300 |
|---|---|---|
| committer | Steve Kemp <steve@steve.org.uk> | 2015-09-05 10:00:13 +0300 |
| commit | 2a777a970cf5fde01893340d3281214839e622d6 (patch) | |
| tree | 7ae22ce75576cfcacd1b4f945fed9173ce80e028 /go | |
| parent | 91db227b27d45389e982a945d947bffa6e21812f (diff) | |
| download | seaweedfs-2a777a970cf5fde01893340d3281214839e622d6.tar.xz seaweedfs-2a777a970cf5fde01893340d3281214839e622d6.zip | |
Allow whitelisting by CIDR range, not just literally.
This allows you to write something like this:
/usr/local/bin/weed master -mdir /srv/weed/master -whiteList=192.168.0.0/24,127.0.0.1
This will whitelist all the 192.168.0.XX hosts, as well as localhost.
Diffstat (limited to 'go')
| -rw-r--r-- | go/security/guard.go | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/go/security/guard.go b/go/security/guard.go index bde938dba..b93845448 100644 --- a/go/security/guard.go +++ b/go/security/guard.go @@ -4,6 +4,7 @@ import ( "errors" "fmt" "net" + "regexp" "net/http" "github.com/chrislusf/seaweedfs/go/glog" @@ -88,6 +89,26 @@ func (g *Guard) checkWhiteList(w http.ResponseWriter, r *http.Request) error { host, _, err := net.SplitHostPort(r.RemoteAddr) if err == nil { for _, ip := range g.whiteList { + + // If the whitelist entry contains a "/" it + // is a CIDR range, and we should check the + // remote host is within it + match, _ := regexp.MatchString("/", ip) + if ( match ) { + _, cidrnet, err := net.ParseCIDR(ip) + if err != nil { + panic(err) + } + remote := net.ParseIP(host) + if cidrnet.Contains(remote) { + return nil + } + } + + + // + // Otherwise we're looking for a literal match. + // if ip == host { return nil } |