Re: Source IP ACLs


Shannon Coen
 

You could certainly build a route service to support this use case. Users
would create a service instance of the service, configure it to block
specified IPs (on create, bind, or out-of-band), then bind it to the route,
causing requests to the route to be forwarded to the service instance,
which would block the requests or pass them through. All applications
mapped to the route would be protected.

Route Services opens a whole new class of services which could be offered
in the marketplace by exposing an point of extension. Now all these
features don't have be to implemented directly in the router itself.

Our work on support for Route Services has nearly reached MVP. The backend
work is nearly complete, and we've started work on the CLI commands. Soon
we'll publish documentation for service broker authors as well as end users.

I'll also be sending a request for feedback shortly on a header we're using
in the integration that must be handled by the services. With a few changes
we could support standard forwarding proxies as Route Services per the http
rfc, but it comes with tradeoffs. Stay tuned.

For now, you can refer to these docs for info about the Route Services
feature:
- UX proposal:
https://drive.google.com/open?id=1SfwaQ1hnngfopXC_Q24cT6lbo0yFwvbAbPcCPEHeNPY
- Original proposal:
https://docs.google.com/document/d/1bGOQxiKkmaw6uaRWGd-sXpxL0Y28d3QihcluI15FiIA/edit?usp=sharing
- Tracker epics: https://www.pivotaltracker.com/epic/show/1884060 and
https://www.pivotaltracker.com/epic/show/2031344

Please let me know if you have any questions.

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Sat, Oct 31, 2015 at 1:33 AM, Noburou TANIGUCHI <dev(a)nota.m001.jp> wrote:

We have proprietarily implemented the feature into Gorouter, but now
similar
functionality will probably achieved by Route Service [1]. There seems
little information [2] about it and I also want to know the progress.

[1]

https://docs.google.com/document/d/1bGOQxiKkmaw6uaRWGd-sXpxL0Y28d3QihcluI15FiIA/edit#heading=h.8djffzes9pnb

[2] https://www.pivotaltracker.com/n/projects/966314


Carlo Alberto Ferraris-2 wrote
Is there any provision for restricting the source IPs that are allowed to
access a certain application (or route)? Or the only way to do this is to
place a reverse proxy in front of the gorouter?
In case the reverse proxy is the only way to go, would there be interest
to have something like this implemented inside the gorouter itself?
(we're
willing to contribute)




-----
I'm not a ...
noburou taniguchi
--
View this message in context:
http://cf-dev.70369.x6.nabble.com/cf-dev-Source-IP-ACLs-tp2518p2544.html
Sent from the CF Dev mailing list archive at Nabble.com.

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.