Auth & Auth

Swindon currently supports authorization based on source ip address. Ldap authorization is in the works.

Authorization Table

Changed in version v0.7.0.

Authorizer are flagged in routing table as @authorizer.

routing:
  corporate.example.com: site @corporate-network
  corporate.example.com/admin: admin @super-admins

Everything is allowed by default (because it’s a web server, it’s here to publish things). But you can override it by setting default authorizer, which applies implicitly.

Note that unlike handlers, authorizers are inherited across paths and subdomains unless overrriden:

routing:
    "*.example.org": site @auth1
    "example.org": main-site
    "example.org/admin": admin @admin
    "example.org/admin/something": something
    "example.org/otherthing": otherthing

Is equivalent to:

routing:
    "*.example.org": site @auth1
    "example.org": main-site @auth1
    "example.org/admin": admin @admin
    "example.org/admin/something": something @admin
    "example.org/otherthing": otherthing @auth1

Also note that exact domain is more specific star domain:

routing:
    "*.example.org": handler
    "example.org": handler @auth

Here the auth is not applied to somethign.example.org, but in this case:

routing:
    "*.example.org": handler @auth

The authorization (as well as handler) is applied both for the main site example.org and all the subdomains.

The routing here is the same as in normal routing table, in particular: corporate-network limit is not obeyed on corporate.example.com/admin.

Authorizers

Authorizers section contains named authorizers. For example:

authorizers:
  corporate-network: !SourceIp
     allowed-network: corporate-ip-group
     forwarded-ip-header: X-Remote-Ip
     accept-forwarded-headers-from: frontend-servers

Note by default there is a hidden default authorizer:

authorizers:
  default: !AllowAll

You can override it and it will be used for anything having no authorizer:

authorizers:
  default: !SourceIp
    allowed-network: localhost

AllowAll Authorizer

This authorizer allows everybody access the page. It’s here to be used as default one, but maybe specified explicitly if default is overriden or just for convenience.

public-data: !AllowAll

Source Ip Authorizer

Source IP authorizer looks like this:

corporate-network: !SourceIp
   allowed-network: corporate-ip-group
   forwarded-ip-header: X-Remote-Ip
   accept-forwarded-headers-from: frontend-servers

Settings:

allowed-network

(required) Name of the network to allow access from. The network is got from networks section.

accept-forwarded-headers-from

(optional) Sometimes clients do not connect to this instance of swindon directly but are proxied from another instance. This means that real IP address where swindon receives a connection from is upstream server rather than real client. In this case, real client IP address is transferred in header specified by forwarded-ip-header.

To prevent faking the IP address we accept this header only from allowed networks specified in this setting.

forwarded-ip-header

(optional) Name of the header where to read IP address from if the source address is within the accept-forwarded-headers-from network.