Skip to content

Exempt internal pod network (10.42.0.0/16) from the scanner-probe block#57

Merged
Robbie1977 merged 1 commit into
mainfrom
feature/whitelist-internal-net
Jun 27, 2026
Merged

Exempt internal pod network (10.42.0.0/16) from the scanner-probe block#57
Robbie1977 merged 1 commit into
mainfrom
feature/whitelist-internal-net

Conversation

@Robbie1977

Copy link
Copy Markdown
Contributor

What

Exempt trusted internal networks from the scanner-probe block in ha_api.security_middleware.

The middleware path-allowlists requests and 404s everything else as a "scanner probe", keyed on request.remote. In-cluster traffic arrives from the Rancher/Canal pod network (10.42.0.0/16) — the V3 cache, the frontend backend, and the post-release warmup tool — and was being caught and logged as probes.

  • Adds _is_trusted_remote() + a TRUSTED_NETWORKS allowlist (default 10.42.0.0/16,127.0.0.0/8,::1/128, overridable via the TRUSTED_NETWORKS env var).
  • Trusted in-cluster requests bypass the probe block and reach normal routing; an unknown path still 404s via the router, but is no longer counted or logged as a probe.

No change for external traffic — the allowlist + probe block still apply.

Verified

Unit-checked the matcher: 10.42.28.137, 10.42.250.176, 127.0.0.1, ::1 → trusted; 10.43.0.5, 192.168.1.5, 8.8.8.8, public IPs, None, and malformed strings → not trusted.

@Robbie1977 Robbie1977 merged commit 2dc5e1e into main Jun 27, 2026
0 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant