|
1 | 1 | # Lua Resty Whitelist |
2 | 2 |
|
3 | | -Dynamic whitelist in Lua based on ngx_lua for NGINX and OpenResty |
| 3 | +This module can be used to implement a dynamic whitelist in NGINX/OpenResty. This is especially useful to allow access only to some SaaS and Cloud services with dynamic IP addresses, such as Cloudflare, AWS, Azure, etc. For example, some of them may offer security features such as DDOS protection, WAF, etc. but can be bypassed if the origin IP is leaked and the server allows access from any IP address. |
| 4 | +The module accepts any format of the whitelist (e.g JSON, YAML, plain text, etc.) as long as they contain IPs and/or CIDRs. |
4 | 5 |
|
5 | | -:warning: Under construction |
| 6 | +:warning: This project is still in beta. Use at your own risk. |
6 | 7 |
|
7 | | -## Publish to LuaRocks |
| 8 | +## How to use |
8 | 9 |
|
9 | | -```sh |
10 | | -# Upload to LuaRocks |
11 | | -luarocks upload lua-resty-whitelist-*.rockspec |
| 10 | +Installation: |
| 11 | + |
| 12 | +```bash |
| 13 | +luarocks install lua-resty-whitelist |
| 14 | +``` |
| 15 | + |
| 16 | +Use it in your nginx configuration: |
| 17 | + |
| 18 | +```nginx |
| 19 | +server { |
| 20 | + listen 80; |
| 21 | + server_name localhost; |
| 22 | +
|
| 23 | + # This is required for the module to make HTTP requests, you can use any DNS server |
| 24 | + resolver 1.1.1.1 ipv6=off; |
| 25 | +
|
| 26 | + location / { |
| 27 | + lua_code_cache on; |
| 28 | + access_by_lua_block { |
| 29 | + local whitelist = require "resty.whitelist" |
| 30 | +
|
| 31 | + local whitelist_urls = { |
| 32 | + "https://www.cloudflare.com/ips-v4", "https://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips" |
| 33 | + } |
| 34 | + whitelist.new(whitelist_urls) |
| 35 | +
|
| 36 | + -- Or sinlge URL |
| 37 | +
|
| 38 | + local whitelist_url = "https://www.cloudflare.com/ips-v4" |
| 39 | + whitelist.new(whitelist_url) |
| 40 | + } |
| 41 | + } |
| 42 | +} |
| 43 | +``` |
12 | 44 |
|
13 | | -# Create a source rock |
14 | | -luarocks pack lua-resty-whitelist-*.rockspec |
| 45 | +## What's missing |
| 46 | + |
| 47 | +- IPv6 support |
| 48 | +- Caching of the whitelist and sharing it between workers |
| 49 | +- Tests |
| 50 | +- Better error handling and logging |
| 51 | +- Better documentation |
| 52 | + |
| 53 | +## Contrubuting |
| 54 | + |
| 55 | +### Publish the package |
| 56 | + |
| 57 | +#### Publish to LuaRocks |
| 58 | + |
| 59 | +```bash |
| 60 | +mv lua-resty-whitelist-*.rockspec lua-resty-whitelist-X.Y-Z.rockspec |
| 61 | +sed -i -E 's/"([0-9]+\.[0-9]+-[0-9]+)"/"X.Y-Z"/g' lua-resty-whitelist-X.Y-Z.rockspec |
| 62 | + |
| 63 | +git add . |
| 64 | +git commit -m "Release X.Y-Z" |
| 65 | +git push |
| 66 | + |
| 67 | +git tag vX.Y-Z |
| 68 | +git push origin vX.Y-Z |
| 69 | + |
| 70 | +luarocks upload lua-resty-whitelist-X.Y-Z.rockspec |
15 | 71 | ``` |
16 | 72 |
|
17 | | -## Running the demo |
| 73 | +#### Publish to GitHub |
| 74 | + |
| 75 | +- A `lua-resty-whitelist-X.Y-Z.src.rock` file will be created in the current directory after publishing to LuaRocks |
| 76 | +- Visit <https://github.com/esidate/lua-resty-whitelist/tags> and click on the tag `vX.Y-Z` |
| 77 | +- Click on "Create release from tag" |
| 78 | +- Click on "Generate release notes" and upload the `lua-resty-whitelist-X.Y-Z.src.rock` file |
| 79 | +- Publish the release |
| 80 | + |
| 81 | +### Running the demo |
| 82 | + |
| 83 | +The demo is also sort of the development environment. |
18 | 84 |
|
19 | 85 | ```sh |
20 | 86 | cd demo |
|
0 commit comments