List Based Address Authorizer
An authorizer that supports white- and blacklisting direct and forwarded addresses (coming via a proxy).
AUTHTYPE=org.signserver.server.ListBasedAddressAuthorizer
- WHITELISTED_DIRECT_ADDRESSES = A comma-separated list of IP addresses allowed direct access.
- BLACKLISTED_DIRECT_ADDRESSES = A comma-separated list of IP addresses denied direct access.
- WHITELISTED_FORWARDED_ADDRESSES = A comma-separated list of IP addresses allowed access as a forwarded address.
- BLACKLISTED_FORWARDED_ADDRESSES = A comma-separated list of IP addresses denied access as a forwarded address.
- MAX_FORWARDED_ADDRESSES = Number of IP addresses to inspect in the list of forwarded addresses. (Default: 1).
It is not possible to specify both a white list and a black list at the same time for each of direct and forwarded addresses. One of each list (direct and forwarded) must be specified. When specifying a whitelist for forwarded addresses, requests without an X-Forwarded-For header will always be denied. When there are multiple addresses in the X-Forwarded-For header (in the case of using multiple proxies) the number of addresses specified in MAX_FORWARDED_ADDRESSES counting from the end of the list (or the entire list if it is shorter than this) is considered for white- and blacklisting. If specified, MAX_FORWARDED_ADDRESSES must have a value >= 1. It is not allowed to set it 0 to disable checking forwarded addresses. RemoteAddressAuthorizer should be used in this case.
Examples:
1. To accept requests from all direct addresses except for 10.0.0.5 and for all forwarded addresses except 13.170.18.12 and 13.170.18.13 use:
BLACKLISTED_DIRECT_ADDRESSES=
10.0
.
0.5
BLACKLISTED_FORWARDED_ADDRESSES=
13.170
.
18.12
,
13.170
.
18.13
2. To only accept direct requests from 10.0.0.1 and 10.0.0.2 and from the forwarded address 216.34.181.97 use:
WHITELISTED_DIRECT_ADDRESSES=
10.0
.
0.1
,
10.0
.
0.2
WHITELISTED_FORWARDED_ADDRESS=
216.34
.
181.97
3. To only allow direct access from the proxy servers 10.0.0.1 and 10.0.0.2 but allow them to forward from all address except the to banned addresses 13.170.18.12 and 13.170.18.13 use:
WHITELISTED_DIRECT_ADDRESSES=
10.0
.
0.1
,
10.0
.
0.2
BLACKLISTED_FORWARDED_ADDRESSES=
13.170
.
18.12
,
13.170
.
18.13
4. To accept direct requests from all addresses except 10.0.0.5 but only forwarded from 216.34.181.97 use:
BLACKLISTED_DIRECT_ADDRESSES=
10.0
.
0.5
WHITELISTED_FORWARDED_ADDRESS=
216.34
.
181.97
5. To accept direct request from a proxy server 10.0.1.1 allowing forwarding from another proxy 10.0.2.2 in turn proxying the request from the client with address 192.0.43.10 use:
WHITELISTED_DIRECT_ADDRESSES=
10.0
.
1.1
WHITELISTED_FORWARDED_ADDRESSES=
10.0
.
2.2
,
192.0
.
43.10
MAX_FORWARDED_ADDRESSES=
2
6. To blacklist a set of IP addresses, set the MAX_FORWARDED_ADDRESSES value to a value gauranteed to be larger than the number of proxies you have control over, like in the following example:
BLACKLISTED_FORWARDED_ADDRESSES=
10.0
.
1.1
,
10.0
.
2.2
,
10.0
.
3.3
MAX_FORWARDED_ADDRESSES=
10
Logging: This authorizer will add the remote IP address to the log field AUTHORIZED_ADDRESS and the proxied address (if it's available in the request) in the log field AUTHORIZED_FORWARDED_ADDRESS.