Expand description
IP allow/deny lists with CIDR matching.
A front door often needs a coarse network gate independent of auth — “lock /admin (or the
whole app) to the office IP / VPN range”, “drop this abusive subnet”. [access] provides it:
allow and deny lists of plain IPs and CIDR ranges, evaluated against the resolved client
IP before auth and rate limiting. deny wins over allow; a non-empty allow is a
whitelist. Compiled into an AccessPolicy held on the hot-swappable runtime (None when
both lists are empty, so the proxy skips the check entirely).
CIDR matching is implemented directly (no extra dependency): each entry is normalized to a
base address + prefix length, and an address matches when its high prefix bits equal the
base’s. IPv4 and IPv6 are kept separate — a v4 client never matches a v6 rule, and
vice-versa.
Structs§
- Access
Policy - Compiled allow/deny policy.