From f1e227de764bfb8abf82532cf179c5e5728dd856 Mon Sep 17 00:00:00 2001 From: Umputun Date: Sun, 26 Nov 2023 03:56:54 -0600 Subject: [PATCH] add info to readme --- README.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 37522023..8737c778 100644 --- a/README.md +++ b/README.md @@ -302,7 +302,16 @@ username2:bcrypt(password2) ... ``` -this can be generated with `htpasswd -nbB` command, i.e. `htpasswd -nbB test passwd` +## IP-based access control + +Reproxy allows restricting access to the routes with a list of comma-separated subnets or ips. This is useful for the development and testing, before allowing unrestricted access to them. It also can be used to restrict access to the internal services. By default, all the routes are open for all the clients. + +To restrict access to the routes, user should set appropriate keys for the routes, i.e. `reproxy.remote` for docker and consul, and `remote` for file provider. The value should be a list of comma-separated subnets or ips or subnets. For example `127.0.0.1, 192.168.1.0/24`. For more details see [docker provider](#docker-provider) and [consul catalog provider](#consul-catalog-provider) sections. + +By default, reproxy will check the remote address from the client's request. However, in some cases, it won't work as expected, for example behind of other proxy, or with docker bridge network. This can be altered with `--remote-lookup-headers` parameter allowing check the value of the header `X-Real-IP` or `X-Forwarded-For` (in this order) and use it for the check. If the header is not set, the check will be performed against the remote address of the client. + +Checking headers should be used with caution, as it is possible to fake them. However, in some cases, it is the only way to get the real remote address of the client. Generally, it is recommended to use this option only if user is completely controlling all the headers and can guarantee the headers are not faked. + ## Plugins support @@ -357,6 +366,7 @@ This is the list of all options supporting multiple elements: --basic-htpasswd= htpasswd file for basic auth [$BASIC_HTPASSWD] --lb-type=[random|failover] load balancer type (default: random) [$LB_TYPE] --signature enable reproxy signature headers [$SIGNATURE] + --remote-lookup-headers enable remote lookup headers [$REMOTE_LOOKUP_HEADERS] --dbg debug mode [$DEBUG] ssl: