List Based Address Authorizer

The List Based Address Authorizer supports white- and blacklisting direct and forwarded addresses (coming via a proxy).

Fully qualified class name: AUTHTYPE=org.signserver.server.ListBasedAddressAuthorizer

Available Properties

Property

Description

WHITELISTED_DIRECT_ADDRESSES

A comma-separated list of IP addresses allowed direct access.

BLACKLISTED_DIRECT_ADDRESSES

A comma-separated list of IP addresses denied direct access.

WHITELISTED_FORWARDED_ADDRESSES

A comma-separated list of IP addresses allowed access as a forwarded address.

BLACKLISTED_FORWARDED_ADDRESSES

A comma-separated list of IP addresses denied access as a forwarded address.

MAX_FORWARDED_ADDRESSES

Number of IP addresses to inspect in the list of forwarded addresses.

Default: 1

Address Authorization Configuration

The following rules apply when configuring direct and forwarded address lists:

  • A whitelist and blacklist cannot be specified simultaneously. Only one list type per address category (direct or forwarded) is permitted.

  • When a whitelist is set for forwarded addresses, requests without an X-Forwarded-For header are always denied.

  • When multiple addresses are present in the X-Forwarded-For header (when using multiple proxies), addresses are evaluated from the end of the list up to the value defined by MAX_FORWARDED_ADDRESSES. If the list is shorter than this value, the entire list is evaluated.

  • MAX_FORWARDED_ADDRESSES must be set to 1 or greater. A value of 0 is not permitted.

To disable forwarded address checking entirely, use RemoteAddressAuthorizer instead.

Examples

To accept requests from all direct addresses except for 10.0.0.5 and for all forwarded addresses except 13.170.18.12 and 13.170.18.13, use:

BLACKLISTED_DIRECT_ADDRESSES=10.0.0.5
BLACKLISTED_FORWARDED_ADDRESSES=13.170.18.12, 13.170.18.13

To only accept direct requests from 10.0.0.1 and 10.0.0.2 and from the forwarded address 216.34.181.97, use:

WHITELISTED_DIRECT_ADDRESSES=10.0.0.1, 10.0.0.2
WHITELISTED_FORWARDED_ADDRESS=216.34.181.97

To only allow direct access from the proxy servers 10.0.0.1 and 10.0.0.2 but allow them to forward from all address except the to banned addresses 13.170.18.12 and 13.170.18.13, use:

WHITELISTED_DIRECT_ADDRESSES=10.0.0.1, 10.0.0.2
BLACKLISTED_FORWARDED_ADDRESSES=13.170.18.12, 13.170.18.13

To accept direct requests from all addresses except 10.0.0.5 but only forwarded from 216.34.181.97, use:

BLACKLISTED_DIRECT_ADDRESSES=10.0.0.5
WHITELISTED_FORWARDED_ADDRESS=216.34.181.97

To accept direct request from a proxy server 10.0.1.1 allowing forwarding from another proxy 10.0.2.2 in turn proxying the request from the client with address 192.0.43.10, use:

WHITELISTED_DIRECT_ADDRESSES=10.0.1.1
WHITELISTED_FORWARDED_ADDRESSES=10.0.2.2,192.0.43.10
MAX_FORWARDED_ADDRESSES=2

To blacklist a set of IP addresses, set the MAX_FORWARDED_ADDRESSES value to a value guaranteed to be larger than the number of proxies you have control over, like in the following example:

BLACKLISTED_FORWARDED_ADDRESSES=10.0.1.1,10.0.2.2,10.0.3.3
MAX_FORWARDED_ADDRESSES=10

Logging

This authorizer will add the remote IP address to the log field AUTHORIZED_ADDRESS and the proxied address (if it is available in the request) in the log field AUTHORIZED_FORWARDED_ADDRESS.