api - whitelist IP/network for API

lua/api.lua

@@ -1,5 +1,8 @@
-local M		= {}
-local api_list	= {}
+local M			= {}
+local api_list		= {}
+local api_whitelist_ip	= {%API_WHITELIST_IP%}
+local whitelist		= iputils.parse_cidrs(api_whitelist_ip)
+local ip		= ngx.var.remote_addr
 
 api_list["^/ping$"] = function ()
 	return true
@@ -10,7 +13,7 @@ api_list["^/reload$"] = function ()
 end
 
 function M.is_api_call (api_uri)
-	if ngx.var.request_uri:sub(1, #api_uri) .. "/" == api_uri .. "/" then
+	if iputils.ip_in_cidrs(ip, whitelist) and ngx.var.request_uri:sub(1, #api_uri) .. "/" == api_uri .. "/" then
 		for uri, code in pairs(api_list) do
 			if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then
 				return true

lua/blacklist.lua

@@ -2,6 +2,7 @@ local M			= {}
 local dns		= require "dns"
 local iputils		= require "resty.iputils"
 local ip_list 		= {%BLACKLIST_IP_LIST%}
+local blacklist		= iputils.parse_cidrs(ip_list)
 local reverse_list	= {%BLACKLIST_REVERSE_LIST%}
 local ip		= ngx.var.remote_addr
 
@@ -23,7 +24,6 @@ end
 
 function M.check_ip ()
 	if #ip_list > 0 then
-		local blacklist = iputils.parse_cidrs(ip_list)
 		if iputils.ip_in_cidrs(ip, blacklist) then
 			ngx.shared.blacklist_ip_cache:set(ip, "ko", 86400)
 			ngx.log(ngx.WARN, "ip " .. ip .. " is in blacklist")

lua/whitelist.lua

@@ -3,6 +3,7 @@ local dns		= require "dns"
 local iputils		= require "resty.iputils"
 local ip_list 		= {%WHITELIST_IP_LIST%}
 local reverse_list	= {%WHITELIST_REVERSE_LIST%}
+local whitelist		= iputils.parse_cidrs(ip_list)
 local ip		= ngx.var.remote_addr
 
 function M.ip_cached_ok ()
@@ -23,7 +24,6 @@ end
 
 function M.check_ip ()
 	if #ip_list > 0 then
-		local whitelist = iputils.parse_cidrs(ip_list)
 		if iputils.ip_in_cidrs(ip, whitelist) then
 			ngx.shared.whitelist_ip_cache:set(ip, "ok", 86400)
 			ngx.log(ngx.WARN, "ip " .. ip .. " is in whitelist")