On Wed, Sep 27, 2017 at 10:03 AM, Marcus Rueckert darix@opensu.se wrote:
On 2017-09-27 16:57:44 +0000, Mark Moseley wrote:
I've been digging into the auth policy stuff with weakforced lately. There are cases (IP ranges, so could be wrapped up in remote {} blocks) where it'd be nice to skip the auth policy (internal hosts that I can trust, but that are hitting the same servers as the outside world).
Is there any way to disable auth policy, possibly inside a remote{}?
auth_policy_server_url complains that it can't be used inside a remote block, so no dice there. Anything I'm missing?
From my config:
allowed_subnets=newNetmaskGroup() allowed_subnets:addMask('fe80::/64') allowed_subnets:addMask('127.0.0.0/8') [snip] if (not(allowed_subnets.match(lt.remote))) -- do GeoIP check endof course could just skip all checks in that case if really wanted. but you probably want to be careful not to skip too many checks otherwise the attack moves from your imap port e.g. to your webmailer.
Hi. Yup, I've got my own whitelisting going on, on the wforce side of things. I'm just looking to forgo the 3 HTTP reqs completely to wforce, from the dovecot side, if possible. I've got some internal services that can generate a significant amount of dovecot logins, but it's kind of silly to keep doing auth policy lookups for those internal servers.
To continue the Lua thread, I was thinking I could also drop a local openresty to do some conditional lookups. I.e. if remote IP is known good, a localhost nginx just sends back the response; if not a known good IP, then proxy the req over to the wforce cluster. That might be a bit overkill though :)