policy: add textual IP parser; add some more examples

30f8c3db · Sergey Prokhorov · 3786e263 · 30f8c3db · 30f8c3db
Unverified Commit 30f8c3db authored Aug 21, 2019 by Sergey Prokhorov
Hide whitespace changes
Inline Side-by-side

Showing with 52 additions and 10 deletions

README.md README.md +32 -6

mtp_policy.erl src/mtp_policy.erl +20 -4

No files found.
--- a/README.md
+++ b/README.md
@@ -358,11 +358,35 @@ the same as 100 unique "users"! Each telegram client opens up to 8 connections;
    <..>
 ```

-#### Limit number of connections with single fake-TLS domain; only allow certain domains
+#### Disallow connections from some IPs

-We basically can assign each customer unique fake-TLS domain, give them unique TLS secret
-and allow only 10 connections with this fake-TLS secret, so, they will not shere their credentials with
-others:
+```erlang
+{mtproto_proxy
+ [
+   {policy,
+     [{not_in_table, client_ipv4, ip_blacklist}]},
+   {ports,
+     <..>
+```
+
+And then add IPs to blacklist with command:
+
+```bash
+/opt/mtp_proxy/bin/mtp_proxy eval '
+mtp_policy_table:add(ip_blacklist, client_ipv4, "203.0.113.1")'
+```
+
+Remove from blacklist:
+
+```bash
+/opt/mtp_proxy/bin/mtp_proxy eval '
+mtp_policy_table:del(ip_blacklist, client_ipv4, "203.0.113.1")'
+```
+
+#### Personal proxy / multi-secret proxy
+
+We can limit number of connections with single fake-TLS domain and only allow connections
+with fake-TLS domains from whitelist.

 ```erlang
 {mtproto_proxy
@@ -374,14 +398,16 @@ others:
     <..>
 ```

-After that we can create unique fake-TLS secret for each customer using command like this:
+Now we can assign each customer unique fake-TLS domain and give them unique TLS secret.
+Because we only allow 10 connections with single fake-TLS secret, they will not be able to
+share their credentials with others:

 ```bash
 /opt/mtp_proxy/bin/mtp_proxy eval '
 PortName = mtp_handler_1,
 {ok, ProxySecret} = mtproto_proxy_app:get_port_secret(PortName),
 NumRecords = mtp_policy_table:table_size(customer_domains),
-SubDomain = mtp_handler:hex(<<NumRecords:16, (crypto:strong_rand_bytes(2))/binary>>),
+SubDomain = mtp_handler:hex(<<NumRecords:16, (crypto:strong_rand_bytes(4))/binary>>),
 Domain = <<SubDomain/binary, ".google.com">>,
 mtp_policy_table:add(customer_domains, tls_domain, Domain),
 Secret = mtp_fake_tls:format_secret_hex(ProxySecret, Domain),

--- a/src/mtp_policy.erl
+++ b/src/mtp_policy.erl
@@ -116,17 +116,33 @@ convert(tls_domain, Domain) when is_binary(Domain) ->
    Domain;
 convert(tls_domain, DomainStr) when is_list(DomainStr) ->
    convert(tls_domain, list_to_binary(DomainStr));
-convert(client_ipv4, Ip) ->
+convert(client_ipv4, Ip0) ->
+    Ip = parse_ip(v4, Ip0),
    <<I:32/unsigned-little>> = mtp_rpc:inet_pton(Ip),
    I;
-convert(client_ipv6, Ip) ->
+convert(client_ipv6, Ip0) ->
+    Ip = parse_ip(v6, Ip0),
    <<I:128/unsigned-little>> = mtp_rpc:inet_pton(Ip),
    I;
-convert({client_ipv4_subnet, Mask}, Ip) ->
+convert({client_ipv4_subnet, Mask}, Ip0) ->
+    Ip = parse_ip(v4, Ip0),
    <<I:Mask/unsigned-little, _/bits>> = mtp_rpc:inet_pton(Ip),
    I;
-convert({client_ipv6_subnet, Mask}, Ip) ->
+convert({client_ipv6_subnet, Mask}, Ip0) ->
+    Ip = parse_ip(v6, Ip0),
    <<I:Mask/unsigned-little, _/bits>> = mtp_rpc:inet_pton(Ip),
    I.

+parse_ip(v4, Tup) when is_tuple(Tup),
+                       tuple_size(Tup) == 4 ->
+    Tup;
+parse_ip(v6, Tup) when is_tuple(Tup),
+                       tuple_size(Tup) == 8 ->
+    Tup;
+parse_ip(v4, Str) when is_list(Str) ->
+    {ok, Ip} = inet:parse_ipv4_address(Str),
+    Ip;
+parse_ip(v6, Str) when is_list(Str) ->
+    {ok, Ip} = inet:parse_ipv6_address(Str),
+    Ip.