Add --allow-ip flag for IP-based access control

Requests from IPs not in the allowlist are rejected with 403 Forbidden.
Uses CF-Connecting-IP (or X-Forwarded-For) header to identify the real
client IP. Blocked requests still appear in the TUI dashboard.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: gitrc

Cargo.lock

@@ -57,4 +57,9 @@ pub struct Args {
     /// Update the cached cloudflared binary to the latest version
     #[arg(long)]
     pub update: bool,
+
+    /// Only allow requests from these IPs (checked via CF-Connecting-IP header).
+    /// Can be specified multiple times. When set, all other IPs get 403.
+    #[arg(long = "allow-ip", env = "CFPROXY_ALLOW_IP", value_delimiter = ',')]
+    pub allow_ip: Vec<String>,
 }

src/cli.rs

@@ -12,6 +12,7 @@ pub struct Config {
     pub mock_rules: Vec<MockRule>,
     pub host: Option<String>,
     pub quick: bool,
+    pub allow_ips: Vec<String>,
 }
 
 impl Config {
@@ -42,6 +43,7 @@ impl Config {
             mock_rules,
             host: args.host,
             quick: args.quick,
+            allow_ips: args.allow_ip,
         }
     }
 }
@@ -77,6 +79,7 @@ mod tests {
             purge: false,
             doctor: false,
             update: false,
+            allow_ip: Vec::new(),
         };
         let config = Config::from_args(args);
         assert!(!config.auto_download);

src/config.rs

@@ -96,7 +96,7 @@ async fn main() -> error::Result<()> {
     }
 
     // Start local reverse proxy to capture HTTP requests
-    let proxy_port = proxy::start(config.port, tx.clone(), config.auth, mock_rules.clone()).await?;
+    let proxy_port = proxy::start(config.port, tx.clone(), config.auth, mock_rules.clone(), config.allow_ips).await?;
     tracing::info!("request logger listening on 127.0.0.1:{}", proxy_port);
 
     let port = config.port;

src/main.rs

@@ -1,3 +1,4 @@
+use std::collections::HashSet;
 use std::sync::Arc;
 use std::time::Instant;
 
@@ -17,17 +18,22 @@ use crate::error::Result;
 use crate::event::{HeaderPair, HttpRequest, TunnelEvent, WebSocketFrame, WsDirection, WsOpcode};
 use crate::mock::MockRules;
 
+/// IP allowlist: when non-empty, only listed IPs may access the proxy.
+pub type AllowIps = Arc<HashSet<String>>;
+
 /// Start a local reverse proxy that forwards to `target_port` and logs requests.
 /// Returns the port the proxy is listening on.
 pub async fn start(
     target_port: u16,
     tx: mpsc::Sender<TunnelEvent>,
     auth: Option<(String, String)>,
     mock_rules: MockRules,
+    allow_ips: Vec<String>,
 ) -> Result<u16> {
     let listener = TcpListener::bind("127.0.0.1:0").await?;
     let proxy_port = listener.local_addr()?.port();
     let auth = auth.map(Arc::new);
+    let allow_ips: AllowIps = Arc::new(allow_ips.into_iter().collect());
 
     tokio::spawn(async move {
         loop {
@@ -38,14 +44,16 @@ pub async fn start(
             let tx = tx.clone();
             let auth = auth.clone();
             let mock_rules = mock_rules.clone();
+            let allow_ips = allow_ips.clone();
             let io = TokioIo::new(stream);
 
             tokio::spawn(async move {
                 let svc = service_fn(move |req| {
                     let tx = tx.clone();
                     let auth = auth.clone();
                     let mock_rules = mock_rules.clone();
-                    handle(req, target_port, tx, auth, mock_rules)
+                    let allow_ips = allow_ips.clone();
+                    handle(req, target_port, tx, auth, mock_rules, allow_ips)
                 });
                 let conn = http1::Builder::new()
                     .serve_connection(io, svc)
@@ -66,6 +74,7 @@ async fn handle(
     tx: mpsc::Sender<TunnelEvent>,
     auth: Option<Arc<(String, String)>>,
     mock_rules: MockRules,
+    allow_ips: AllowIps,
 ) -> std::result::Result<Response<Full<Bytes>>, hyper::Error> {
     let start = Instant::now();
     let method = req.method().to_string();
@@ -81,6 +90,42 @@ async fn handle(
     let user_agent = header_val(req.headers(), "user-agent");
     let request_headers = collect_headers(req.headers());
 
+    // Check IP allowlist before anything else
+    if !allow_ips.is_empty() {
+        let allowed = remote_ip
+            .as_ref()
+            .map(|ip| allow_ips.contains(ip))
+            .unwrap_or(false);
+        if !allowed {
+            let duration = start.elapsed();
+            let _ = tx
+                .send(TunnelEvent::HttpRequest(HttpRequest {
+                    method,
+                    path,
+                    status: 403,
+                    duration,
+                    remote_ip,
+                    country,
+                    user_agent,
+                    request_headers,
+                    response_headers: Vec::new(),
+                    request_size: 0,
+                    response_size: 0,
+                    request_body: None,
+                    response_body: None,
+                    is_websocket: false,
+                    ws_frames: Vec::new(),
+                    is_mock: false,
+                    timestamp: chrono::Local::now(),
+                }))
+                .await;
+            return Ok(Response::builder()
+                .status(hyper::StatusCode::FORBIDDEN)
+                .body(Full::new(Bytes::from("Forbidden")))
+                .unwrap());
+        }
+    }
+
     // Check Basic Auth before forwarding
     if let Some(ref expected) = auth {
         let authorized = header_val(req.headers(), "authorization")