feat: add SQLite persistence and REST API for temporary whitelisting
- Migrate IP-based temporary whitelisting from file to SQLite storage - Add REST API endpoints for managing temporary and permanent whitelists - Create `.env.example` with required environment variables - Document API endpoints in README.md and docs/api.md - Add new dependency `modernc.org/sqlite` for SQLite support - Update deployment and security documentation
This commit is contained in:
@@ -7,7 +7,6 @@
|
||||
3. Auth-gate checks:
|
||||
- Is the IP in the permanent whitelist? → Allow.
|
||||
- Is the IP in the temporary whitelist and not expired? → Allow.
|
||||
- Does the Authorization header contain valid Basic Auth? → Allow.
|
||||
- Otherwise → 401 Unauthorized.
|
||||
4. NGINX passes the request to the upstream service if auth-gate returned 200.
|
||||
5. NGINX returns 401 to the client if auth-gate returned 401/403.
|
||||
@@ -16,17 +15,15 @@
|
||||
|
||||
### Permanent whitelist
|
||||
|
||||
- Loaded from a file mounted as a volume.
|
||||
- The file is polled every 30 seconds (configurable).
|
||||
- Stored in SQLite `permanent_whitelist` table.
|
||||
- Only single IPs and CIDR ranges (as strings) are supported.
|
||||
- The file is reloaded only when its mtime changes.
|
||||
- Added/removed via the `/api/whitelist/perm` API.
|
||||
|
||||
### Temporary whitelist
|
||||
|
||||
- In-memory store.
|
||||
- Stored in SQLite `temp_whitelist` table.
|
||||
- Entries expire after their TTL.
|
||||
- The cleanup goroutine runs every 60 seconds (configurable) to remove expired entries.
|
||||
- No persistence across restarts.
|
||||
|
||||
## API key
|
||||
|
||||
@@ -37,23 +34,18 @@ in the Authorization header.
|
||||
- Use a strong random string.
|
||||
- Rotate it regularly.
|
||||
|
||||
## Basic Auth
|
||||
## Audit log
|
||||
|
||||
The Basic Auth credentials are set via environment variables. The username is `admin`
|
||||
by default, and the password is `changeme` by default.
|
||||
All whitelist operations are logged to the `audit_log` table in SQLite.
|
||||
Each entry records:
|
||||
|
||||
- Change both immediately on first use.
|
||||
- Use strong passwords.
|
||||
- The credentials are sent in the Authorization header (base64-encoded).
|
||||
- Always serve the auth endpoint over TLS.
|
||||
- `action` — what happened (`add_temp`, `delete_temp`, `add_perm`, `delete_perm`, `expire_temp`)
|
||||
- `ip` or `cidr` — the affected IP or CIDR
|
||||
- `ttl_seconds` — for temp entries
|
||||
- `reason` — the reason provided
|
||||
- `api_client_ip` — the IP that made the API call
|
||||
|
||||
## File watcher
|
||||
|
||||
The permanent whitelist file watcher polls the file every 30 seconds. It only
|
||||
reloads if the file's mtime has changed. This means:
|
||||
|
||||
- Frequent touch-operations don't cause unnecessary reloads.
|
||||
- The watcher is simple and doesn't depend on inotify.
|
||||
Retrieve logs via the `/api/logs` endpoint.
|
||||
|
||||
## Graceful shutdown
|
||||
|
||||
@@ -81,4 +73,4 @@ This ensures Docker deployments can shut down cleanly.
|
||||
- We don't support multiple domains. The auth-gate service doesn't care about domains.
|
||||
- We don't support HTTP/2. The auth-gate service uses HTTP/1.1 only.
|
||||
- We don't support WebSocket. The auth-gate service doesn't need WebSocket.
|
||||
- We don't support gRPC. The auth-gate service is a simple REST API.
|
||||
- We don't support gRPC. The auth-gate service is a simple REST API.
|
||||
|
||||
Reference in New Issue
Block a user