List Based Address Authorizer

An authorizer that supports white- and blacklisting direct and forwarded addresses (coming via a proxy).

AUTHTYPE=org.signserver.server.ListBasedAddressAuthorizer

  • WHITELISTED_DIRECT_ADDRESSES = A comma-separated list of IP addresses allowed direct access.

  • BLACKLISTED_DIRECT_ADDRESSES = A comma-separated list of IP addresses denied direct access.

  • WHITELISTED_FORWARDED_ADDRESSES = A comma-separated list of IP addresses allowed access as a forwarded address.

  • BLACKLISTED_FORWARDED_ADDRESSES = A comma-separated list of IP addresses denied access as a forwarded address.

  • MAX_FORWARDED_ADDRESSES = Number of IP addresses to inspect in the list of forwarded addresses. (Default: 1).

It is not possible to specify both a white list and a black list at the same time for each of direct and forwarded addresses. One of each list (direct and forwarded) must be specified. When specifying a whitelist for forwarded addresses, requests without an X-Forwarded-For header will always be denied. When there are multiple addresses in the X-Forwarded-For header (in the case of using multiple proxies) the number of addresses specified in MAX_FORWARDED_ADDRESSES counting from the end of the list (or the entire list if it is shorter than this) is considered for white- and blacklisting. If specified, MAX_FORWARDED_ADDRESSES must have a value >= 1. It is not allowed to set it 0 to disable checking forwarded addresses. RemoteAddressAuthorizer should be used in this case.

Examples:

1. To accept requests from all direct addresses except for 10.0.0.5 and for all forwarded addresses except 13.170.18.12 and 13.170.18.13 use:

BLACKLISTED_DIRECT_ADDRESSES=10.0.0.5
BLACKLISTED_FORWARDED_ADDRESSES=13.170.18.12, 13.170.18.13

2. To only accept direct requests from 10.0.0.1 and 10.0.0.2 and from the forwarded address 216.34.181.97 use:

WHITELISTED_DIRECT_ADDRESSES=10.0.0.1, 10.0.0.2
WHITELISTED_FORWARDED_ADDRESS=216.34.181.97

3. To only allow direct access from the proxy servers 10.0.0.1 and 10.0.0.2 but allow them to forward from all address except the to banned addresses 13.170.18.12 and 13.170.18.13 use:

WHITELISTED_DIRECT_ADDRESSES=10.0.0.1, 10.0.0.2
BLACKLISTED_FORWARDED_ADDRESSES=13.170.18.12, 13.170.18.13

4. To accept direct requests from all addresses except 10.0.0.5 but only forwarded from 216.34.181.97 use:

BLACKLISTED_DIRECT_ADDRESSES=10.0.0.5
WHITELISTED_FORWARDED_ADDRESS=216.34.181.97

5. To accept direct request from a proxy server 10.0.1.1 allowing forwarding from another proxy 10.0.2.2 in turn proxying the request from the client with address 192.0.43.10 use:

WHITELISTED_DIRECT_ADDRESSES=10.0.1.1
WHITELISTED_FORWARDED_ADDRESSES=10.0.2.2,192.0.43.10
MAX_FORWARDED_ADDRESSES=2

6. To blacklist a set of IP addresses, set the MAX_FORWARDED_ADDRESSES value to a value gauranteed to be larger than the number of proxies you have control over, like in the following example:

BLACKLISTED_FORWARDED_ADDRESSES=10.0.1.1,10.0.2.2,10.0.3.3
MAX_FORWARDED_ADDRESSES=10


Logging: This authorizer will add the remote IP address to the log field AUTHORIZED_ADDRESS and the proxied address (if it's available in the request) in the log field AUTHORIZED_FORWARDED_ADDRESS.