Skip to content

feat(server): add IP access control via --allow-ips / --deny-ips#15

Merged
HuRuilizhen merged 3 commits into
releasefrom
feat/ip-access-control
May 11, 2026
Merged

feat(server): add IP access control via --allow-ips / --deny-ips#15
HuRuilizhen merged 3 commits into
releasefrom
feat/ip-access-control

Conversation

@HuRuilizhen

Copy link
Copy Markdown
Owner

Scope

  • Add --allow-ips and --deny-ips CLI options supporting comma-separated
    IPs / CIDR notation (e.g., 192.168.1.0/24)
  • Enforce access rules in the file download handler:
    • deny‑list match → 403 Forbidden
    • allow‑list present with no match → 403 Forbidden
    • no rules → allow all (current default)
  • Surface active rules in the startup banner for easy verification

Implementation

  • New CLI flags parsed with clap::value_parser!(IpNet)
  • ipnet crate for CIDR matching
  • Client IP extracted via axum::extract::ConnectInfo<SocketAddr>
  • AppState::is_ip_allowed() encapsulates the allow/deny logic

Testing

  • cargo check
  • cargo clippy --all-targets --all-features
  • cargo fmt

Notes

  • This PR does not change existing file-serving behavior when no IP
    rules are provided
  • The startup banner displays Allow IPs / Deny IPs only when
    the corresponding lists are non‑empty

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 40a98791bc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/server/handler.rs
@HuRuilizhen

Copy link
Copy Markdown
Owner Author

Enforce IP filter on all file-discovery endpoints

Addressed in a454f77.

Applied the same is_ip_allowed() gate to both index_page (/) and list_files (/files) so that the IP ACL covers all public endpoints consistently. Blocked clients now receive 403 Forbidden on any endpoint, eliminating the information-disclosure bypass.

@HuRuilizhen HuRuilizhen merged commit f36671a into release May 11, 2026
1 check passed
@HuRuilizhen HuRuilizhen deleted the feat/ip-access-control branch May 11, 2026 08:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant