accessfence

package module
v0.0.0-...-1587020 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 17, 2025 License: ISC Imports: 8 Imported by: 0

README

🛡️ AccessFence

AccessFence is a context-aware middleware plugin for Traefik that filters requests based on real-world conditions like:

  • ✅ IP ranges
  • 🌍 Geo-location (country code)
  • ⏰ Time-of-day windows

🧠 AccessFence does not handle authentication or roles — it’s a final layer of defense for protecting routes based on network and request context.

🚀 Use Cases

  • Restrict access to internal tools by IP range
  • Allow routes only during working hours
  • Block access from countries or regions
  • Enforce "office hours" on admin panels

⚙️ Configuration

Static Plugin Declaration (traefik.yml)
experimental:
  plugins:
    accessfence:
      moduleName: github.com/Veinar/accessfence
      version: v0.1.0

Dynamic Middleware Config

http:
  middlewares:
    secure-zone:
      plugin:
        accessfence:
          ipRanges:
            - "192.168.1.0/24"
            - "10.0.0.0/8"
          geoZones:
            - "US"
            - "PL"
          timeWindow:
            start: "08:00"
            end: "18:00"

Apply secure-zone middleware to any route you want to protect.

🔧 Flexible Configuration

AccessFence is fully modular — you can specify one, two, or all of the filters:

  • Want only IP filtering? ✅
  • Want only country restrictions? ✅
  • Want just time-of-day control? ✅

Each filter is optional and only evaluated if set.

🌍 Setting Up GeoIP (Country Filtering)

export MAXMIND_LICENSE_KEY=your_license_key
make geoip

The database file will be stored as GeoLite2-Country.mmdb in your project root. If not found, geo filtering will be skipped!

🧪 Development & Testing

Build and run tests locally:

make build
make test

To run tests without GeoIP filtering:

rm GeoLite2-Country.mmdb
make test

🛡️ Security Note

AccessFence does not authenticate users. It relies on:

  • Traefik being behind HTTPS
  • Correct RemoteAddr forwarded to it (e.g., via X-Forwarded-For)
  • You placing it after authentication in your route chain (optional but recommended)

📄 License

ISC

❤️ Feedback & Contributions

PRs and issues welcome. This plugin is intentionally small and focused. If you need IDK header matching, or more conditions — open a discussion!

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AllowRequest 

func AllowRequest(req *http.Request, cfg *Config, db *geoip2.Reader) bool

func IsGeoAllowed 

func IsGeoAllowed(remoteAddr string, allowedCountries []string, db *geoip2.Reader) bool

func IsIPAllowed 

func IsIPAllowed(remoteAddr string, allowedRanges []string) bool

func IsTimeAllowed 

func IsTimeAllowed(window *TimeWindow) bool

func New 

func New(_ context.Context, next http.Handler, config *Config, name string) (http.Handler, error)

Types

type AccessFence 

type AccessFence struct {
	// contains filtered or unexported fields
}

func (*AccessFence) ServeHTTP 

func (a *AccessFence) ServeHTTP(rw http.ResponseWriter, req *http.Request)

type Config 

type Config struct {
	IPRanges   []string    `json:"ipRanges,omitempty"`   // e.g., ["10.0.0.0/8"]
	GeoZones   []string    `json:"geoZones,omitempty"`   // e.g., ["PL", "US"]
	TimeWindow *TimeWindow `json:"timeWindow,omitempty"` // optional time limits
}

func CreateConfig 

func CreateConfig() *Config

func (*Config) Validate 

func (c *Config) Validate() error

type TimeWindow 

type TimeWindow struct {
	Start string `json:"start"` // "08:00"
	End   string `json:"end"`   // "18:00"
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.