Skip to content

Commit d26f9da

Browse files
committed
readme
0 parents  commit d26f9da

1 file changed

Lines changed: 46 additions & 0 deletions

File tree

readme.md

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
# Allow IP Request Plugin
2+
3+
This is a **Traefik middleware plugin** that implements a dynamic IP whitelisting mechanism. It protects your services by blocking all requests by default while allowing users to self-whitelist their IP address by visiting a specific "knock" URL.
4+
5+
## Features
6+
7+
- **Block by Default**: Denies access to all unauthorized requests with a `403 Forbidden` status.
8+
- **Dynamic "Knock" Whitelisting**: Users can grant themselves temporary access by visiting a specific URL (default: `/knock-knock`).
9+
- **Static Trusted Subnets**: Define a list of CIDR ranges (e.g., local networks, VPNs) that always have access.
10+
- **Admin Dashboard**: Trusted subnets can access a dashboard (at `/view-allow-ips`) to monitor active whitelisted IPs and their expiration times.
11+
- **Configurable Duration**: Control how long a dynamic whitelist entry remains valid.
12+
13+
## Configuration
14+
15+
To use this plugin, you must configure it in your Traefik dynamic configuration.
16+
17+
### Configuration Options
18+
19+
| Option | Type | Default | Description |
20+
|:--- |:--- |:--- |:--- |
21+
| `knockUrl` | `string` | `"/knock-knock"` | The specific URL path users must visit to whitelist their IP. |
22+
| `whitelistDuration` | `string` | `"24h"` | How long the IP remains whitelisted (e.g., "1h", "30m"). |
23+
| `allowedSubnets` | `[]string` | `["192.168.0.0/16", ...]` | List of CIDR ranges that bypass the knock check and can view the admin page. |
24+
25+
### Example Middleware Configuration
26+
27+
```yaml
28+
http:
29+
middlewares:
30+
my-ip-allowlist:
31+
plugin:
32+
allowiprequest:
33+
knockUrl: "/knock-knock"
34+
whitelistDuration: "24h"
35+
allowedSubnets:
36+
- "127.0.0.1/32"
37+
- "192.168.1.0/24"
38+
```
39+
40+
## How It Works
41+
42+
1. **Initial Access**: When an unknown user tries to access your service, they receive a `403 Forbidden` error.
43+
2. **Whitelisting**: The user visits the configured `knockUrl` (e.g., `https://your-service.com/secret-knock`).
44+
3. **Confirmation**: The plugin displays an "Access Granted" page and records the user's IP.
45+
4. **Access**: The user can now access the service normally until the `whitelistDuration` expires.
46+
5. **Monitoring**: Administrators connecting from an IP in `allowedSubnets` can visit `/view-allow-ips` to see the table of currently allowed IPs.

0 commit comments

Comments
 (0)