Add an initial POC version that only works with CIDR whitelists

Author: esidate

README.md

@@ -1,5 +1,26 @@
-# lua-resty-whitelist
+# Lua Resty Whitelist
 
-Lua NGINX dynamic allowlist based on ngx_lua module and OpenResty
+Dynamic whitelist in Lua based on ngx_lua for NGINX and OpenResty
 
-:warning: under construction
+:warning: Under construction
+
+## Publish to LuaRocks
+
+```sh
+# Upload to LuaRocks
+luarocks upload lua-resty-whitelist-*.rockspec
+
+# Create a source rock
+luarocks pack lua-resty-whitelist-*.rockspec
+```
+
+## Running the demo
+
+```sh
+cd demo
+docker-compose up # visit openresty at localhost:80
+# Run a local server to serve the IP lists to simulate a dynamic IP whitelist
+# Depending on the configuration, the server is genereally accessible inside the openrest docker container at 172.18.0.1
+python -m http.server 9001
+# Edit the IP list files to experiment with the configuration
+```

demo/Dockerfile.openresty

@@ -0,0 +1,14 @@
+FROM openresty/openresty:latest
+
+RUN apt-get -y update && apt-get -y install wget make unzip && \
+    wget http://luarocks.org/releases/luarocks-2.0.13.tar.gz && \
+    tar -xzvf luarocks-2.0.13.tar.gz && \
+    cd luarocks-2.0.13/ && \
+    ./configure --prefix=/usr/local/openresty/luajit \
+    --with-lua=/usr/local/openresty/luajit/ \
+    --lua-suffix=jit \
+    --with-lua-include=/usr/local/openresty/luajit/include/luajit-2.1 && \
+    make && make install
+
+RUN luarocks install lua-resty-iputils
+RUN luarocks install lua-resty-http

demo/default.conf

@@ -0,0 +1,17 @@
+lua_package_path "/usr/local/lib/lua/?.lua;;";
+
+server {
+    listen 80;
+    server_name localhost;
+
+    resolver 1.1.1.1 ipv6=off;
+
+    location / {
+        lua_code_cache on;
+        access_by_lua_block {
+            local whitelist = require "resty.whitelist"
+            local url = "http://172.18.0.1:9001/list-cloudfront-ips.json"
+            whitelist.new(url)
+        }
+    }
+}

demo/docker-compose.yaml

@@ -0,0 +1,16 @@
+version: '3.7'
+
+services:
+  openresty:
+    restart: always
+    build:
+      context: .
+      dockerfile: Dockerfile.openresty
+    container_name: openresty
+    volumes:
+      - "./default.conf:/etc/nginx/conf.d/default.conf:ro"
+      - "../lib/resty/whitelist.lua:/usr/local/lib/lua/resty/whitelist.lua:ro"
+    ports:
+      - "80:80"
+    expose:
+      - "80"

demo/list-cloudflare-ips.txt

@@ -0,0 +1,15 @@
+173.245.48.0/20
+103.21.244.0/22
+103.22.200.0/22
+103.31.4.0/22
+141.101.64.0/18
+108.162.192.0/18
+190.93.240.0/20
+188.114.96.0/20
+197.234.240.0/22
+198.41.128.0/17
+162.158.0.0/15
+104.16.0.0/13
+104.24.0.0/14
+172.64.0.0/13
+131.0.72.0/22

demo/list-cloudfront-ips.json

@@ -0,0 +1,138 @@
+{
+  "CLOUDFRONT_GLOBAL_IP_LIST": [
+    "120.52.22.96/27",
+    "205.251.249.0/24",
+    "180.163.57.128/26",
+    "204.246.168.0/22",
+    "18.160.0.0/15",
+    "205.251.252.0/23",
+    "54.192.0.0/16",
+    "204.246.173.0/24",
+    "54.230.200.0/21",
+    "120.253.240.192/26",
+    "116.129.226.128/26",
+    "130.176.0.0/17",
+    "108.156.0.0/14",
+    "99.86.0.0/16",
+    "205.251.200.0/21",
+    "223.71.71.128/25",
+    "13.32.0.0/15",
+    "120.253.245.128/26",
+    "13.224.0.0/14",
+    "70.132.0.0/18",
+    "15.158.0.0/16",
+    "13.249.0.0/16",
+    "18.238.0.0/15",
+    "18.244.0.0/15",
+    "205.251.208.0/20",
+    "65.9.128.0/18",
+    "130.176.128.0/18",
+    "58.254.138.0/25",
+    "54.230.208.0/20",
+    "116.129.226.0/25",
+    "52.222.128.0/17",
+    "18.164.0.0/15",
+    "64.252.128.0/18",
+    "205.251.254.0/24",
+    "54.230.224.0/19",
+    "71.152.0.0/17",
+    "216.137.32.0/19",
+    "204.246.172.0/24",
+    "18.172.0.0/15",
+    "120.52.39.128/27",
+    "118.193.97.64/26",
+    "223.71.71.96/27",
+    "18.154.0.0/15",
+    "54.240.128.0/18",
+    "205.251.250.0/23",
+    "180.163.57.0/25",
+    "52.46.0.0/18",
+    "223.71.11.0/27",
+    "52.82.128.0/19",
+    "54.230.0.0/17",
+    "54.230.128.0/18",
+    "54.239.128.0/18",
+    "130.176.224.0/20",
+    "36.103.232.128/26",
+    "52.84.0.0/15",
+    "143.204.0.0/16",
+    "144.220.0.0/16",
+    "120.52.153.192/26",
+    "119.147.182.0/25",
+    "120.232.236.0/25",
+    "54.182.0.0/16",
+    "58.254.138.128/26",
+    "120.253.245.192/27",
+    "54.239.192.0/19",
+    "18.68.0.0/16",
+    "18.64.0.0/14",
+    "120.52.12.64/26",
+    "99.84.0.0/16",
+    "130.176.192.0/19",
+    "52.124.128.0/17",
+    "204.246.164.0/22",
+    "13.35.0.0/16",
+    "204.246.174.0/23",
+    "36.103.232.0/25",
+    "119.147.182.128/26",
+    "118.193.97.128/25",
+    "120.232.236.128/26",
+    "204.246.176.0/20",
+    "65.8.0.0/16",
+    "65.9.0.0/17",
+    "108.138.0.0/15",
+    "120.253.241.160/27",
+    "64.252.64.0/18"
+  ],
+  "CLOUDFRONT_REGIONAL_EDGE_IP_LIST": [
+    "13.113.196.64/26",
+    "13.113.203.0/24",
+    "52.199.127.192/26",
+    "13.124.199.0/24",
+    "3.35.130.128/25",
+    "52.78.247.128/26",
+    "13.233.177.192/26",
+    "15.207.13.128/25",
+    "15.207.213.128/25",
+    "52.66.194.128/26",
+    "13.228.69.0/24",
+    "52.220.191.0/26",
+    "13.210.67.128/26",
+    "13.54.63.128/26",
+    "99.79.169.0/24",
+    "18.192.142.0/23",
+    "35.158.136.0/24",
+    "52.57.254.0/24",
+    "13.48.32.0/24",
+    "18.200.212.0/23",
+    "52.212.248.0/26",
+    "3.10.17.128/25",
+    "3.11.53.0/24",
+    "52.56.127.0/25",
+    "15.188.184.0/24",
+    "52.47.139.0/24",
+    "18.229.220.192/26",
+    "54.233.255.128/26",
+    "3.231.2.0/25",
+    "3.234.232.224/27",
+    "3.236.169.192/26",
+    "3.236.48.0/23",
+    "34.195.252.0/24",
+    "34.226.14.0/24",
+    "13.59.250.0/26",
+    "18.216.170.128/25",
+    "3.128.93.0/24",
+    "3.134.215.0/24",
+    "52.15.127.128/26",
+    "3.101.158.0/23",
+    "52.52.191.128/26",
+    "34.216.51.0/25",
+    "34.223.12.224/27",
+    "34.223.80.192/26",
+    "35.162.63.192/26",
+    "35.167.191.128/26",
+    "44.227.178.0/24",
+    "44.234.108.128/25",
+    "44.234.90.252/30"
+  ]
+}

dist.ini

@@ -1,5 +1,5 @@
 name=lua-resty-whitelist
-abstract=Lua NGINX dynamic allowlist based on ngx_lua module and OpenResty
+abstract=Dynamic whitelist in Lua based on ngx_lua for NGINX and OpenResty
 author=El Mahdi Sidate
 is_original=yes
 license=mit

lib/resty/whitelist.lua

@@ -1,9 +1,102 @@
-local _M = {
-    _VERSION = '0.0.1'
-}
+local iputils = require "resty.iputils"
+local http = require "resty.http"
+
+local ngx = ngx
 
-local mt = {
-    __index = _M
+local whitelist_m = {
+    _VERSION = '0.1-0'
 }
 
-return _M
+whitelist_m.__index = whitelist_m
+
+local validation_message =
+    "[lua-resty-whitelist] whitelist URL must be either a non-empty string or table of non-empty strings."
+
+local function istable(t)
+    return type(t) == 'table'
+end
+
+local function is_empty(s)
+    return s == nil or s == ''
+end
+
+local function fetch_whitelist(url)
+    iputils.enable_lrucache()
+
+    local httpc = http.new()
+    local res, err = httpc:request_uri(url, {
+        method = "GET",
+        ssl_verify = false,
+        headers = {
+            ["Content-Type"] = "application/x-www-form-urlencoded"
+        }
+    })
+
+    local status = res and res.status or nil
+    local body = res and res.body or nil
+
+    if (not res) or (not body) or (status and (status < 200 or status >= 300)) or err then
+        ngx.log(ngx.ERR, "[lua-resty-whitelist] failed to fetch whitelist => url: " .. url .. ", status: " .. status ..
+            ", body: " .. body, err)
+        ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
+    end
+
+    local whitelist = body .. " "
+    local whitelist_array = {}
+
+    -- Extract CIRDs
+    for ip in string.gmatch(whitelist, "((%d%d?%d?)%.(%d%d?%d?)%.(%d%d?%d?)%.(%d%d?%d?)/(%d%d?))") do
+        table.insert(whitelist_array, ip)
+    end
+
+    -- local whitelist_concat = table.concat(whitelist_array, ", ")
+    -- ngx.log(ngx.ERR, "[lua-resty-whitelist] CIRDs: " .. whitelist_concat)
+
+    -- TODO: Extract normal IPs as well
+
+    -- -- Extract IPs
+    -- for ip in string.gmatch(whitelist, "((%d%d?%d?)%.(%d%d?%d?)%.(%d%d?%d?)%.(%d%d?%d?)$)") do
+    --     table.insert(whitelist_array, string.sub(ip, 1, -2))
+    -- end
+
+    -- whitelist_concat = table.concat(whitelist_array, ", ")
+    -- ngx.log(ngx.ERR, "[lua-resty-whitelist] whitelist_concat: " .. whitelist_concat)
+
+    return whitelist_array
+end
+
+local function match_ip_whitelist(ip, whitelist_array)
+    local whitelist = iputils.parse_cidrs(whitelist_array)
+    if not iputils.ip_in_cidrs(ip, whitelist) then
+        return ngx.exit(ngx.HTTP_FORBIDDEN)
+    end
+end
+
+function whitelist_m.new(url)
+
+    if is_empty(url) then
+        ngx.log(ngx.ERR, validation_message)
+        ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
+    end
+
+    local whitelist_array = {}
+
+    if istable(url) then
+        for _, u in ipairs(url) do
+            if is_empty(u) then
+                ngx.log(ngx.ERR, validation_message)
+                ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
+            end
+
+            for _, v in ipairs(fetch_whitelist(u)) do
+                table.insert(whitelist_array, v)
+            end
+        end
+    else
+        whitelist_array = fetch_whitelist(url)
+    end
+
+    match_ip_whitelist(ngx.var.remote_addr, whitelist_array)
+end
+
+return whitelist_m

lua-resty-whitelist-0.0.1.rockspec renamed to lua-resty-whitelist-0.1-0.rockspec

@@ -1,19 +1,20 @@
 package = "lua-resty-whitelist"
-version = "0.0.0"
+version = "0.1-0"
 
 source = {
   url = "git+https://github.com/esidate/lua-resty-whitelist",
-  tag = "v0.0.0",
+  tag = "v0.1-0",
 }
 
 description = {
-  summary = "Lua NGINX dynamic allowlist based on ngx_lua module and OpenResty",
+  summary = "Dynamic whitelist in Lua based on ngx_lua for NGINX and OpenResty",
   license = "MIT",
 }
 
 dependencies = {
   "lua >= 5.1",
-  "resty.iputils => 0.3.0"
+  "resty.iputils >= 0.3",
+  "resty.http >= 0.15",
 }
 
 build = {