├── .github └── workflows │ └── go.yml ├── LICENSE ├── README.md ├── go.mod ├── go.sum ├── middleware.go └── middleware_test.go /.github/workflows/go.yml: -------------------------------------------------------------------------------- 1 | name: build 2 | 3 | on: 4 | push: 5 | branches: [ main ] 6 | pull_request: 7 | branches: [ main ] 8 | 9 | jobs: 10 | 11 | build: 12 | name: Build 13 | runs-on: ubuntu-latest 14 | steps: 15 | 16 | - name: Set up Go 1.x 17 | uses: actions/setup-go@v2 18 | with: 19 | go-version: ^1.13 20 | id: go 21 | 22 | - name: Check out code into the Go module directory 23 | uses: actions/checkout@v2 24 | 25 | - name: Get dependencies 26 | run: | 27 | go get -v -t -d ./... 28 | if [ -f Gopkg.toml ]; then 29 | curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh 30 | dep ensure 31 | fi 32 | 33 | - name: Build 34 | run: go build -v . 35 | 36 | - name: Test 37 | run: go test -v . 38 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Buwei Chiu 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Gin Access Limit Middleware 2 | 3 | [![Go Report Card](https://goreportcard.com/badge/github.com/bu/gin-access-limit)](https://goreportcard.com/report/github.com/bu/gin-access-limit) 4 | ![Build Status](https://github.com/bu/gin-access-limit/workflows/build/badge.svg) 5 | [![Documentation](https://godoc.org/github.com/bu/gin-access-limit?status.svg)](http://godoc.org/github.com/bu/gin-access-limit) 6 | 7 | A [Gin web framework](https://github.com/gin-gonic/gin) middleware for IP restriction by specifying CIDR notations. 8 | 9 | ## Usage 10 | 11 | ```go 12 | 13 | package main 14 | 15 | import ( 16 | gin "github.com/gin-gonic/gin" 17 | limit "github.com/bu/gin-access-limit" 18 | ) 19 | 20 | func main() { 21 | // create a Gin engine 22 | r := gin.Default() 23 | 24 | // this API is only accessible from Docker containers 25 | r.Use(limit.CIDR("172.18.0.0/16")) 26 | 27 | // if need to specify serveral range of allowed sources, use comma to concatenate them 28 | // r.Use(limit.CIDR("172.18.0.0/16, 127.0.0.1/32")) 29 | 30 | // routes 31 | r.GET("/", func (c *gin.Context) { 32 | c.String(200, "pong") 33 | }) 34 | 35 | // listen to request 36 | r.Run(":8080") 37 | } 38 | 39 | ``` 40 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/bu/gin-access-limit 2 | 3 | go 1.14 4 | 5 | require ( 6 | github.com/gin-gonic/gin v1.6.3 7 | github.com/stretchr/testify v1.6.1 8 | ) 9 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 2 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 3 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 4 | github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE= 5 | github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI= 6 | github.com/gin-gonic/gin v1.6.3 h1:ahKqKTFpO5KTPHxWZjEdPScmYaGtLo8Y4DMHoEsnp14= 7 | github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M= 8 | github.com/go-playground/assert/v2 v2.0.1 h1:MsBgLAaY856+nPRTKrp3/OZK38U/wa0CcBYNjji3q3A= 9 | github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4= 10 | github.com/go-playground/locales v0.13.0 h1:HyWk6mgj5qFqCT5fjGBuRArbVDfE4hi8+e8ceBS/t7Q= 11 | github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8= 12 | github.com/go-playground/universal-translator v0.17.0 h1:icxd5fm+REJzpZx7ZfpaD876Lmtgy7VtROAbHHXk8no= 13 | github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA= 14 | github.com/go-playground/validator/v10 v10.2.0 h1:KgJ0snyC2R9VXYN2rneOtQcw5aHQB1Vv0sFl1UcHBOY= 15 | github.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI= 16 | github.com/golang/protobuf v1.3.3 h1:gyjaxf+svBWX08ZjK86iN9geUJF0H6gp2IRKX6Nf6/I= 17 | github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= 18 | github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= 19 | github.com/json-iterator/go v1.1.9 h1:9yzud/Ht36ygwatGx56VwCZtlI/2AD15T1X2sjSuGns= 20 | github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= 21 | github.com/leodido/go-urn v1.2.0 h1:hpXL4XnriNwQ/ABnpepYM/1vCLWNDfUNts8dX3xTG6Y= 22 | github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII= 23 | github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY= 24 | github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= 25 | github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421 h1:ZqeYNhU3OHLH3mGKHDcjJRFFRrJa6eAM5H+CtDdOsPc= 26 | github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= 27 | github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742 h1:Esafd1046DLDQ0W1YjYsBW+p8U2u7vzgW2SQVmlNazg= 28 | github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= 29 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 30 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 31 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 32 | github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= 33 | github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= 34 | github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= 35 | github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 36 | github.com/ugorji/go v1.1.7 h1:/68gy2h+1mWMrwZFeD1kQialdSzAb432dtpeJ42ovdo= 37 | github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw= 38 | github.com/ugorji/go/codec v1.1.7 h1:2SvQaVZ1ouYrrKKwoSk2pzd4A9evlKJb9oTL+OaLUSs= 39 | github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY= 40 | golang.org/x/sys v0.0.0-20200116001909-b77594299b42 h1:vEOn+mP2zCOVzKckCZy6YsCtDblrpj/w7B9nxGNELpg= 41 | golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 42 | golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= 43 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 44 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= 45 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 46 | gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 47 | gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= 48 | gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 49 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= 50 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 51 | -------------------------------------------------------------------------------- /middleware.go: -------------------------------------------------------------------------------- 1 | package accessLimit 2 | 3 | import ( 4 | "log" 5 | "net" 6 | "strings" 7 | 8 | "github.com/gin-gonic/gin" 9 | ) 10 | 11 | // DisableLogging set up logging. default is false (logging) 12 | var DisableLogging bool 13 | 14 | // TrustedHeaderField is a header field that developer trusted in their env. 15 | // e.g. Upstream proxy server's special header that only server can setup 16 | // need to avoid use common forgry-able header fields. 17 | var TrustedHeaderField string 18 | 19 | // CIDR is a middleware that check given CIDR rules and return 403 Forbidden 20 | // when user is not coming from allowed source. CIDRs accepts a list of CIDRs, 21 | // separated by comma. (e.g. 127.0.0.1/32, ::1/128 ) 22 | func CIDR(CIDRs string) gin.HandlerFunc { 23 | return func(c *gin.Context) { 24 | // retreieve user's connection origin from request remote addr 25 | // need to split the host because original remoteAddr contains port 26 | remoteAddr, _, splitErr := net.SplitHostPort(c.Request.RemoteAddr) 27 | 28 | if splitErr != nil { 29 | c.AbortWithError(500, splitErr) 30 | return 31 | } 32 | 33 | // if we have Trusted Header Field, and it exists, use it 34 | if TrustedHeaderField != "" { 35 | if trustedRemoteAddr := c.GetHeader(TrustedHeaderField); trustedRemoteAddr != "" { 36 | remoteAddr = trustedRemoteAddr 37 | } 38 | } 39 | 40 | // parse it into IP type 41 | remoteIP := net.ParseIP(remoteAddr) 42 | 43 | // split CIDRs by comma, and we gonna check them one by one 44 | cidrSlices := strings.Split(CIDRs, ",") 45 | 46 | // under of CIDR we were in 47 | var matchCount uint 48 | 49 | // go over each CIDR and do the tests 50 | for _, cidr := range cidrSlices { 51 | // remove unwanted spaces 52 | cidr = strings.TrimSpace(cidr) 53 | 54 | // try to parse the CIDR 55 | _, cidrIPNet, parseCIDRErr := net.ParseCIDR(cidr) 56 | 57 | if parseCIDRErr != nil { 58 | c.AbortWithError(500, parseCIDRErr) 59 | return 60 | } 61 | 62 | // This is the core of this middleware, 63 | // it ask current CIDR network range to test if current IP is in 64 | if cidrIPNet.Contains(remoteIP) { 65 | matchCount = matchCount + 1 66 | } 67 | } 68 | 69 | // if no CIDR ranges contains our IP 70 | if matchCount == 0 { 71 | if DisableLogging == false { 72 | log.Printf("[LIMIT] Request from [" + remoteAddr + "] is not allow to access `" + c.Request.RequestURI + "`, only allow from: [" + CIDRs + "]") 73 | } 74 | 75 | c.AbortWithStatus(403) 76 | return 77 | } 78 | } 79 | } 80 | -------------------------------------------------------------------------------- /middleware_test.go: -------------------------------------------------------------------------------- 1 | package accessLimit 2 | 3 | import ( 4 | "net/http" 5 | "net/http/httptest" 6 | "testing" 7 | 8 | "github.com/gin-gonic/gin" 9 | "github.com/stretchr/testify/assert" 10 | ) 11 | 12 | func setupRouter(CIDRs string) *gin.Engine { 13 | // no debug mode 14 | gin.SetMode(gin.ReleaseMode) 15 | 16 | // create a default 17 | r := gin.Default() 18 | 19 | // our middle-ware 20 | r.Use(CIDR(CIDRs)) 21 | 22 | // routes 23 | r.GET("/", testGET) 24 | 25 | return r 26 | } 27 | 28 | func TestAllowAccessSource(t *testing.T) { 29 | r := setupRouter("127.0.0.1/32") 30 | 31 | // prepare 32 | ExpectedResponseStatus := 200 33 | 34 | // run 35 | w := httptest.NewRecorder() 36 | req, _ := http.NewRequest("GET", "/", nil) 37 | req.RemoteAddr = "127.0.0.1:80" 38 | r.ServeHTTP(w, req) 39 | 40 | // check 41 | assert.Equal(t, ExpectedResponseStatus, w.Code) 42 | } 43 | 44 | func TestNotAllowAccessSource(t *testing.T) { 45 | r := setupRouter("172.18.0.0/16") 46 | 47 | // prepare 48 | ExpectedResponseStatus := 403 49 | 50 | // run 51 | w := httptest.NewRecorder() 52 | req, _ := http.NewRequest("GET", "/", nil) 53 | req.RemoteAddr = "127.0.0.1:80" 54 | r.ServeHTTP(w, req) 55 | 56 | // check 57 | assert.Equal(t, ExpectedResponseStatus, w.Code) 58 | } 59 | 60 | func TestAllowAccessFromManySource(t *testing.T) { 61 | r := setupRouter("172.18.0.0/16, 127.0.0.1/32, ::1/128") 62 | 63 | // prepare 64 | ExpectedResponseStatus := 200 65 | 66 | // run 67 | w := httptest.NewRecorder() 68 | req, _ := http.NewRequest("GET", "/", nil) 69 | req.RemoteAddr = "127.0.0.1:80" 70 | r.ServeHTTP(w, req) 71 | 72 | // check 73 | assert.Equal(t, ExpectedResponseStatus, w.Code) 74 | } 75 | 76 | func TestNotAllowAccessFromManySource(t *testing.T) { 77 | r := setupRouter("172.18.0.0/16, 127.0.0.1/32, ::1/128") 78 | 79 | // prepare 80 | ExpectedResponseStatus := 403 81 | 82 | // run 83 | w := httptest.NewRecorder() 84 | req, _ := http.NewRequest("GET", "/", nil) 85 | req.RemoteAddr = "192.168.1.12:80" 86 | r.ServeHTTP(w, req) 87 | 88 | // check 89 | assert.Equal(t, ExpectedResponseStatus, w.Code) 90 | } 91 | 92 | func TestTrustedHeader(t *testing.T) { 93 | // Allow Trust Header 94 | TrustedHeaderField = "X-Real-Ip" 95 | 96 | r := setupRouter("172.18.0.0/16, 127.0.0.1/32, ::1/128") 97 | 98 | // prepare 99 | ExpectedResponseStatus := 200 100 | 101 | // run 102 | w := httptest.NewRecorder() 103 | req, _ := http.NewRequest("GET", "/", nil) 104 | req.RemoteAddr = "192.168.1.12:80" 105 | req.Header.Add("X-Real-Ip", "127.0.0.1") 106 | 107 | r.ServeHTTP(w, req) 108 | 109 | // check 110 | assert.Equal(t, ExpectedResponseStatus, w.Code) 111 | } 112 | 113 | func TestNotInTrustedHeader(t *testing.T) { 114 | // Allow Trust Header 115 | TrustedHeaderField = "X-Real-Ip" 116 | 117 | r := setupRouter("172.18.0.0/16, 127.0.0.1/32, ::1/128") 118 | 119 | // prepare 120 | ExpectedResponseStatus := 403 121 | 122 | // run 123 | w := httptest.NewRecorder() 124 | req, _ := http.NewRequest("GET", "/", nil) 125 | req.RemoteAddr = "192.168.1.12:80" 126 | req.Header.Add("X-Forwarded-For", "127.0.0.1") 127 | 128 | r.ServeHTTP(w, req) 129 | 130 | // check 131 | assert.Equal(t, ExpectedResponseStatus, w.Code) 132 | } 133 | 134 | func testGET(c *gin.Context) { 135 | c.String(200, "pong") 136 | } 137 | --------------------------------------------------------------------------------