IP Restriction at TCP Level.

[rohank2002]

Summary

I am using Kong IP restriction plugin, according to the documentation its only compatible with HTTP and HTTPs, wanted to apply it at TCP level. Is there such a provision in Kong? Or a work around.

[bungle]

That should be doable. PR welcome, or I/we (at Kong) can take a look, but cannot promise exactly when.

[scrudge]

We are willing to submit a PR, if someone can point us in the right direction.

[dndx]

Hello @scrudge,

If you use the L4 proxy functionalities provided by Kong, It should works at the L3. See: https://docs.konghq.com/2.2.x/proxy/#proxy-tcptls-traffic

The reason why Kong's IP restriction plugin under HTTP mode (and Nginx's own ngx_http_access_module, for that matter) works in L7 mode is because the client may present headers such as X-Forwarded-For which is not available at L3. If we close the connection early, we will have no chance to know if the request contains any of such headers, or if such header should be trusted, etc.

[Mokto]

Sorry for reviving this but has anyone managed to use TCPIngress with ip restriction?

apiVersion: configuration.konghq.com/v1beta1
kind: TCPIngress
metadata:
  name: clickhouse
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/plugins: ip-restriction
spec:
  rules:
  - host: XXXX-tcp.domain.io
    port: 9443
    backend:
      serviceName: clickhouse-lb
      servicePort: 9000

The IP restriction works for HTTP but not TCP.

[merusso]

The plugin currently only works for HTTP, not TCP.

See:

• https://docs.konghq.com/hub/kong-inc/ip-restriction/
• https://github.com/Kong/kong/blob/master/kong/plugins/ip-restriction/schema.lua#L7

We want for this to work on TCPIngress objects also. It looks like the plugin needs to be reworked to support TCP.

Ideally it would use the configured real_ip_header if available, fallback to proxy_protocol source IP if available, or fallback to TCP source IP as a last resort.

[hbagdi]

Re-opening this since this is a fair ask.
When operating at L4, the TCP byte stream won't be available. The plugin will probably restrict based on peer IP address or the IP obtained via proxy protocol (provided it comes from a trusted_ips).

PRs welcome.

[scrudge]

We are currently testing these changes. Plan on submitting PR in the near future.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[merusso]

The change we've made is based on release/2.8.x. Can we submit a PR to merge these changes into a new 2.x release?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[locao]

@merusso thank you for your interest in submitting a new feature for Kong!

Kong 2.8 is not under active development now, this means we are only adding fixes to bugs or security vulnerabilities, and a new feature would not see the sunlight. Please, open a PR targeting master and we will review it.

[scrudge]

@locao We have also included a PR for the master branch as well. We are requesting that both PRs be accepted, as we are currently stuck on 2.8.x because of open issue we have with v3 that prevents us from upgrading. I'll update the Kong support ticket with more info.

[merusso]

Can this issue be reopened? We have open PRs meant to resolve this issue.

[hbagdi]

Reopening to keep tracking this.

[locao]

We forgot to remove the "pending author feedback" label so it was closed. Reopening.