feat: As a user, I want to be able to set ip-restriction plugin http response code to 404

[papdaniel]

Description

Now the default and only response code is 403 in ip-restriction plugin. I'd like to set it to 404 to hide the endpoints from black-listed/not white-listed sources, to not give the attackers a hint that there are some resources that they don't have access to.

[papdaniel]

I wanted to contribute, but spent a few hours to make the (any existing) tests run locally, but didn't succeed.. Followed these docs:
https://github.com/apache/apisix/blob/master/docs/en/latest/internal/testing-framework.md#run-the-test
https://github.com/apache/apisix/blob/master/docs/en/latest/build-apisix-dev-environment-on-mac.md
for me, none of them worked.

[juzhiyuan]

Hi @papdaniel, from the description, I didn't know what kind of errors you encountered.

I have two ideas:

1. You can use https://github.com/api7/apisix-plugin-template to write and run test cases.
2. Please take some time to organize the steps, expectations, and errors in details so that I or others can try to help you.

[papdaniel]

Hello @juzhiyuan!
As I need a simple modification in ip-restriction plugin I'd just add my test cases to t/plugin/ip-restriction.t, and to run I'd go with this https://github.com/apache/apisix/blob/master/docs/en/latest/build-apisix-dev-environment-on-mac.md description which seems quite straightforward with docker. I've done all the steps, and tried to run the test file (first without any modification):
docker exec -it apisix-dev-env prove t/plugin/ip-restriction.t
I'm getting:

t/plugin/ip-restriction.t .. 1/? 
#   Failed test 'ERROR: client socket timed out - t/plugin/ip-restriction.t TEST 1: sanity
# '
#   at /usr/local/share/perl/5.30.0/Test/Nginx/Socket.pm line 2206.

#   Failed test 't/plugin/ip-restriction.t TEST 1: sanity - status code ok'
#   at /usr/local/share/perl/5.30.0/Test/Nginx/Socket.pm line 949.
#          got: ''
#     expected: '200'

#   Failed test 't/plugin/ip-restriction.t TEST 1: sanity - response_body - response is expected (repeated req 0, req 0)'
#   at /usr/local/share/perl/5.30.0/Test/Nginx/Socket.pm line 1660.
#          got: ''
#     expected: '{"message":"Your IP address is not allowed","whitelist":["10.255.254.0/24","192.168.0.0/16"]}
# '
....

[Baoyuantop]

ERROR: client socket timed out

Maybe try increasing the timeout configuration in test case.

[papdaniel]

Maybe try increasing the timeout configuration in test case.

Thank you, that was it. I also needed to pull git submodules to make it work

[juzhiyuan]

Hi @papdaniel, thank you for your PR. I understand that you want to hide any hints to secure your endpoints, but I'm not sure if we really need this option inside APISIX core codes (cc @bzp2010 @moonming). Could you share any references that also support this feature? Any links would be helpful.

I know some organizations would create a repository with a specific plugin to enable the feature dynamically.

[papdaniel]

Hi @juzhiyuan!
The idea is security through obscurity. Even github uses this technique, try accessing one of my private repos: https://github.com/papdaniel/parkcheck Of course in this case the application who returns 404, but it's the same idea, we just want to return 404 for blacklisted ip addresses, not users who have no access to the resource.
I think it's not a unique requirement, others would use this feature if it was available, it's just another extra security layer. We use apisix because its highly configurable core plugins which really hard to find in other solutions. This could be another cool feature.

[moonming]

Hi @juzhiyuan! The idea is security through obscurity. Even github uses this technique, try accessing one of my private repos: https://github.com/papdaniel/parkcheck Of course in this case the application who returns 404, but it's the same idea, we just want to return 404 for blacklisted ip addresses, not users who have no access to the resource. I think it's not a unique requirement, others would use this feature if it was available, it's just another extra security layer. We use apisix because its highly configurable core plugins which really hard to find in other solutions. This could be another cool feature.

That's right, we hope APISIX can be more flexible to meet the needs of different users