feat: testing with IP restrictions

florianow · florianow · commit d3e2e426de1d · 2025-10-06T17:02:19.000+02:00
diff --git a/Caddyfile b/Caddyfile
@@ -20,6 +20,12 @@
                 # Step 2: Initialize TX variable
                 SecAction "id:2,phase:1,pass,nolog,setvar:tx.bucket_ops=0"
 
+                # IP allowlist - allow specific IPs
+                SecRule REMOTE_ADDR "@ipMatch {$ALLOWED_IPS}" "id:999,phase:1,pass,nolog,msg:'Allowed IP access'"
+
+                # Block all other IPs (must be after allowlist)
+                SecRule REMOTE_ADDR "@ipMatch 0.0.0.0/0" "id:1000,phase:1,block,status:403,msg:'IP not in allowlist - access denied'"
+
                 # Example rule: Block DELETE on /minio/admin
                 SecRule REQUEST_URI "@beginsWith /minio/admin" "id:1001,phase:1,deny,status:403,msg:'MinIO Admin API Access Blocked'"
 
@@ -58,6 +64,12 @@
                 # Step 2: Initialize TX variable
                 SecAction "id:11,phase:1,pass,nolog,setvar:tx.bucket_ops=0"
 
+                # IP allowlist - allow specific IPs
+                SecRule REMOTE_ADDR "@ipMatch {$ALLOWED_IPS}" "id:1999,phase:1,pass,nolog,msg:'Allowed IP access'"
+
+                # Block all other IPs (must be after allowlist)
+                SecRule REMOTE_ADDR "@ipMatch 0.0.0.0/0" "id:2000,phase:1,block,status:403,msg:'IP not in allowlist - access denied'"
+
                 # Example rule: Log DELETE operations
                 SecRule REQUEST_METHOD "@streq DELETE" "id:2001,phase:1,log,msg:'DELETE operation logged'"
 
diff --git a/README.md b/README.md
@@ -190,6 +190,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_allowed_ip_addresses"></a> [allowed\_ip\_addresses](#input\_allowed\_ip\_addresses) | List of IP addresses that will be allowed to access the MinIO service (CIDR format, e.g., ['203.0.113.0/32', '192.168.1.0/24']) | `list(string)` | n/a | yes |
 | <a name="input_cert_password"></a> [cert\_password](#input\_cert\_password) | Password for the SSL certificate | `string` | n/a | yes |
 | <a name="input_coraza_waf_image"></a> [coraza\_waf\_image](#input\_coraza\_waf\_image) | Coraza WAF container image | `string` | `"ghcr.io/meshcloud/minio_azure_container_app/coraza-caddy:caddy-2.8-coraza-v2.0.0"` | no |
 | <a name="input_location"></a> [location](#input\_location) | Azure region for deployment | `string` | `"West Europe"` | no |
diff --git a/main.tf b/main.tf
@@ -132,6 +132,7 @@ resource "azurerm_container_group" "minio_aci_container_group" {
           server_name       = "${var.public_url_domain_name}.${azurerm_resource_group.minio_aci_rg.location}.azurecontainer.io"
           minio_ui_backend  = "localhost:8080"
           minio_api_backend = "localhost:8081"
+          allowed_ips       = var.allowed_ip_addresses
         }))
       }
     }
@@ -169,6 +170,7 @@ resource "azurerm_container_group" "minio_aci_container_group" {
     environment_variables = {
       MINIO_UI_BACKEND  = "localhost:9001"
       MINIO_API_BACKEND = "localhost:9000"
+      ALLOWED_IPS       = join(",", var.allowed_ip_addresses)
     }
 
     liveness_probe {
diff --git a/nginx-frontend.conf.tpl b/nginx-frontend.conf.tpl
@@ -25,6 +25,12 @@ server {
     ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
     ssl_prefer_server_ciphers off;
 
+    # IP restrictions - only allow specified IP addresses
+%{ for ip in allowed_ips ~}
+    allow ${ip};
+%{ endfor ~}
+    deny all;
+
     client_max_body_size 1000m;
 
     # MinIO Console (UI) via Coraza WAF
@@ -65,6 +71,12 @@ server {
     ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
     ssl_prefer_server_ciphers off;
 
+    # IP restrictions - only allow specified IP addresses
+%{ for ip in allowed_ips ~}
+    allow ${ip};
+%{ endfor ~}
+    deny all;
+
     client_max_body_size 1000m;
 
     # MinIO S3 API via Coraza WAF
diff --git a/variables.tf b/variables.tf
@@ -98,3 +98,14 @@ variable "coraza_waf_image" {
   default     = "ghcr.io/meshcloud/minio_azure_container_app/coraza-caddy:caddy-2.8-coraza-v2.0.0"
   description = "Coraza WAF container image"
 }
+
+variable "allowed_ip_addresses" {
+  type        = list(string)
+  description = "List of IP addresses that will be allowed to access the MinIO service (CIDR format, e.g., ['203.0.113.0/32', '192.168.1.0/24'])"
+  validation {
+    condition = alltrue([
+      for ip in var.allowed_ip_addresses : can(cidrhost(ip, 0))
+    ])
+    error_message = "All IP addresses must be in valid CIDR format (e.g., '203.0.113.0/32' for a single IP or '192.168.1.0/24' for a subnet)."
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -132,6 +132,7 @@ resource "azurerm_container_group" "minio_aci_container_group" {`
`132`	`132`	`server_name = "${var.public_url_domain_name}.${azurerm_resource_group.minio_aci_rg.location}.azurecontainer.io"`
`133`	`133`	`minio_ui_backend = "localhost:8080"`
`134`	`134`	`minio_api_backend = "localhost:8081"`
	`135`	`+ allowed_ips = var.allowed_ip_addresses`
`135`	`136`	`}))`
`136`	`137`	`}`
`137`	`138`	`}`
`@@ -169,6 +170,7 @@ resource "azurerm_container_group" "minio_aci_container_group" {`
`169`	`170`	`environment_variables = {`
`170`	`171`	`MINIO_UI_BACKEND = "localhost:9001"`
`171`	`172`	`MINIO_API_BACKEND = "localhost:9000"`
	`173`	`+ ALLOWED_IPS = join(",", var.allowed_ip_addresses)`
`172`	`174`	`}`
`173`	`175`
`174`	`176`	`liveness_probe {`