we operate the application in kubernetes and want to avoid access to internal ressources via request-baskets, as it can be turned into an open proxy. the most flexible use is probably to provide the ability to allow/deny domains and ip ranges.
example use cases:
-
request-baskets --allow-domain example.com --deny-domain dev.example.com
baskets can only be configured with URLs with example.com
as domain (e.g. https://api.prod.example.com),
except URLs pointing to dev.example.com
(e.g. https://api.dev.example.com)
-
request-baskets --deny-domain cluster.local
baskets can forward any URL except to URLS under the
cluster.local domain
-
request-baskets --deny-address 127.0.0.0/8
baskets can not forward URLs pointing to the loopback
interface
-
request-baskets --deny-private-address
shortcut for denying forwards to all addresses designated
for private use (192.168.0.0/16, 172.16.0.0/12,
10.0.0.0/8) by the IANA
-
request-baskets --allow-address 192.168.1.0/24 --deny-address 192.168.1.1/32 --deny-address 192.168.1.254/32
only URLs resolving to a class B private net are allowed,
except 192.168.1.1 and 192.168.1.254
by default, everything is allowed and nothing is denied (just as
before). denials are applied after allowances, so that you
can allow on a broad scale and deny granular.
given that the validation only has to be performed on basket
creation/updates, the resource overhead for domain resolution
should be relatively low.
we operate the application in kubernetes and want to avoid access to internal ressources via request-baskets, as it can be turned into an open proxy. the most flexible use is probably to provide the ability to allow/deny domains and ip ranges.
example use cases:
request-baskets --allow-domain example.com --deny-domain dev.example.combaskets can only be configured with URLs with
example.comas domain (e.g.
https://api.prod.example.com),except URLs pointing to
dev.example.com(e.g.
https://api.dev.example.com)request-baskets --deny-domain cluster.localbaskets can forward any URL except to URLS under the
cluster.localdomainrequest-baskets --deny-address 127.0.0.0/8baskets can not forward URLs pointing to the loopback
interface
request-baskets --deny-private-addressshortcut for denying forwards to all addresses designated
for private use (
192.168.0.0/16,172.16.0.0/12,10.0.0.0/8) by the IANArequest-baskets --allow-address 192.168.1.0/24 --deny-address 192.168.1.1/32 --deny-address 192.168.1.254/32only URLs resolving to a class B private net are allowed,
except
192.168.1.1and192.168.1.254by default, everything is allowed and nothing is denied (just as
before). denials are applied after allowances, so that you
can allow on a broad scale and deny granular.
given that the validation only has to be performed on basket
creation/updates, the resource overhead for domain resolution
should be relatively low.