Allow filtering by remote addresses (#52)

* Added the possibility to define rules for remote addresses

* Added change in changelog

* Added check for X-Real-Ip and X-Forwarded-For when checking for remote address filtering

* cmd/anubis: refine IP filtering logic

* Optimize the configuration so that the IP trie is created once at
  application start instead of dynamically being created every request.
* Document the changes in the changelog and docs site.
* Allow pure IP range filtering.
* Allow user agent based IP range filtering.
* Allow path based IP range filtering.
* Create --debug-x-real-ip-default flag for testing Anubis locally
  without a HTTP load balancer.

---------

Co-authored-by: Xe Iaso <me@xeiaso.net>

cmd/anubis/internal/config/config.go

@@ -3,6 +3,7 @@ package config
 import (
 	"errors"
 	"fmt"
+	"net"
 	"regexp"
 )
 
@@ -28,17 +29,19 @@ type Bot struct {
 	UserAgentRegex *string         `json:"user_agent_regex"`
 	PathRegex      *string         `json:"path_regex"`
 	Action         Rule            `json:"action"`
+	RemoteAddr     []string        `json:"remote_addresses"`
 	Challenge      *ChallengeRules `json:"challenge,omitempty"`
 }
 
 var (
 	ErrNoBotRulesDefined                 = errors.New("config: must define at least one (1) bot rule")
 	ErrBotMustHaveName                   = errors.New("config.Bot: must set name")
-	ErrBotMustHaveUserAgentOrPath        = errors.New("config.Bot: must set either user_agent_regex, path_regex")
+	ErrBotMustHaveUserAgentOrPath        = errors.New("config.Bot: must set either user_agent_regex, path_regex, or remote_addresses")
 	ErrBotMustHaveUserAgentOrPathNotBoth = errors.New("config.Bot: must set either user_agent_regex, path_regex, and not both")
 	ErrUnknownAction                     = errors.New("config.Bot: unknown action")
 	ErrInvalidUserAgentRegex             = errors.New("config.Bot: invalid user agent regex")
 	ErrInvalidPathRegex                  = errors.New("config.Bot: invalid path regex")
+	ErrInvalidCIDR                       = errors.New("config.Bot: invalid CIDR")
 )
 
 func (b Bot) Valid() error {
@@ -48,7 +51,7 @@ func (b Bot) Valid() error {
 		errs = append(errs, ErrBotMustHaveName)
 	}
 
-	if b.UserAgentRegex == nil && b.PathRegex == nil {
+	if b.UserAgentRegex == nil && b.PathRegex == nil && (b.RemoteAddr == nil || len(b.RemoteAddr) == 0) {
 		errs = append(errs, ErrBotMustHaveUserAgentOrPath)
 	}
 
@@ -68,6 +71,14 @@ func (b Bot) Valid() error {
 		}
 	}
 
+	if b.RemoteAddr != nil && len(b.RemoteAddr) > 0 {
+		for _, cidr := range b.RemoteAddr {
+			if _, _, err := net.ParseCIDR(cidr); err != nil {
+				errs = append(errs, ErrInvalidCIDR, err)
+			}
+		}
+	}
+
 	switch b.Action {
 	case RuleAllow, RuleChallenge, RuleDeny:
 		// okay

cmd/anubis/internal/config/config_test.go

@@ -129,6 +129,44 @@ func TestBotValid(t *testing.T) {
 			},
 			err: ErrChallengeRuleHasWrongAlgorithm,
 		},
+		{
+			name: "invalid cidr range",
+			bot: Bot{
+				Name:       "mozilla-ua",
+				Action:     RuleAllow,
+				RemoteAddr: []string{"0.0.0.0/33"},
+			},
+			err: ErrInvalidCIDR,
+		},
+		{
+			name: "only filter by IP range",
+			bot: Bot{
+				Name:       "mozilla-ua",
+				Action:     RuleAllow,
+				RemoteAddr: []string{"0.0.0.0/0"},
+			},
+			err: nil,
+		},
+		{
+			name: "filter by user agent and IP range",
+			bot: Bot{
+				Name:           "mozilla-ua",
+				Action:         RuleAllow,
+				UserAgentRegex: p("Mozilla"),
+				RemoteAddr:     []string{"0.0.0.0/0"},
+			},
+			err: nil,
+		},
+		{
+			name: "filter by path and IP range",
+			bot: Bot{
+				Name:       "mozilla-ua",
+				Action:     RuleAllow,
+				PathRegex:  p("^.*$"),
+				RemoteAddr: []string{"0.0.0.0/0"},
+			},
+			err: nil,
+		},
 	}
 
 	for _, cs := range tests {

cmd/anubis/internal/config/testdata/good/allow_everyone.json

@@ -0,0 +1,12 @@
+{
+  "bots": [
+    {
+      "name": "everyones-invited",
+      "remote_addresses": [
+        "0.0.0.0/0",
+        "::/0"
+      ],
+      "action": "ALLOW"
+    }
+  ]
+}