Feature request: validation by ip addresss (use Nginx's `satisfy any;` instead)

[nrukavkov]

I want to suggest you add a feature for validation by IP before validation by a provider (google for example).

Here is a real case... We have a private web resource, which should be protected by vouch-proxy. But we have web requests from the internal network and also external. I suppose it would be very useful to not disturb users from the internal network.

Unfortunately, it is not possible to realize using Nginx. (because 'if' is not allowed for auth_request)

[aaronpk]

I am strongly opposed to any sort of IP-based filtering as that violates the principle of zero trust. I would recommend accomplishing this with the future client credentials grant described in #362

[nrukavkov]

I understand. But it is not about browser clients. I have build agent(teamcity) and I do not know how to use vouch-proxy for external clients and build agents together without tricks like creating a mirror of server section, etc.

[bnfinet]

@nrukavkov you can use Nginx's satisfy any; directive to achieve that...
http://nginx.org/en/docs/http/ngx_http_core_module.html#satisfy

Here's a setup I use where some of the services should not go through VP

in the server {} block..

satisfy any;

# see if we are allowed by IP
deny 192.168.0.1;             # anything from the router is likely nat'd from outside
allow 192.168.2.0/32;         # allow special ip's on your network
allow 127.0.0.1;              # and localhost too
deny all;

# if not send all requests to the `/validate` endpoint for authorization
auth_request /validate;

[nrukavkov]

Thank you