add IP filtering whitelist

[tomkralidis]

W2AT 2023-11-14:

• as per WIS node authorization requirements wis2pilot#109 (comment) add optional IP restrictions for wis2node allowing access to wis2node services

We could add an include in nginx setup for IP whitelisting (allow/deny), for example.

[maaikelimper]

We would also have to support the whitelisting for the MQTT broker in that case , right ?

Normally I would expect users to configure the IP restrictions upstream, like in the security group of the cloud-hosted instance or in the firewall of the network hosting their server.
Do you see any use-case whereby a user would want apply the IP restrictions at the level of the wis2box-services ?

[tomkralidis]

The use case for application level IP filtering supports the case where the deployment does not have options to have this set at the firewall/cloud level.

[kurt-hectic]

I think that most security conscious operators (likely those requiring IP filtering), will not implement fire-walling as part of the application stack that is protected, but with a dedicated firewall.
For example the AWS-borne wis2boxes would implement this by implementing a AWS Security Group, separating concerns of application and protection.

[maaikelimper]

enrico to decided if/when we want to implement this