pingora
pingora copied to clipboard
cloudflare
Implement TCP Connection IP allowlist/blocklist in Pingora
What is the problem your feature solves, or the need it fulfills?
Enable granular management of client IPs during TCP connection setup in Pingora. The goal is to restrict gateway access to internal networks and selected CDNs, implementing IP allowlisting/blocklisting to deny connections from unauthorized or potentially malicious IPs early in the TCP cycle.
Describe the solution you'd like
Introduce an initial IP validation phase at the start of each connection's lifecycle. Upon receiving a connection, verify the client's IP against predefined rules. If the IP doesn't meet criteria, terminate the connection immediately, bypassing further HTTP header processing or coroutine creation.
Describe alternatives you've considered
...
Additional context
As exemplified in frameworks like Hyper, implementing IP filtering directly in the TCP listener's accept loop enhances both security and efficiency.
...
loop {
let (socket, addr) = listener.accept().await.unwrap();
...
if !allow_list.contains(&addr.ip()) {
continue;
}
...
tokio::spawn(async move {
...
});
}
