feat(acl): connection level ip/geo blocking

- fixed access log logic
- implement acl at connection level
- acl logging
- ip/cidr blocking
- geoblocking with MaxMind database

internal/acl/city_cache.go

@@ -0,0 +1,39 @@
+package acl
+
+import (
+	"github.com/puzpuzpuz/xsync/v3"
+	acl "github.com/yusing/go-proxy/internal/acl/types"
+	"go.uber.org/atomic"
+)
+
+var cityCache = xsync.NewMapOf[string, *acl.City]()
+var numCachedLookup atomic.Uint64
+
+func (cfg *MaxMindConfig) lookupCity(ip *acl.IPInfo) (*acl.City, bool) {
+	if ip.City != nil {
+		return ip.City, true
+	}
+
+	if cfg.db.Reader == nil {
+		return nil, false
+	}
+
+	city, ok := cityCache.Load(ip.Str)
+	if ok {
+		numCachedLookup.Inc()
+		return city, true
+	}
+
+	cfg.db.RLock()
+	defer cfg.db.RUnlock()
+
+	city = new(acl.City)
+	err := cfg.db.Lookup(ip.IP, city)
+	if err != nil {
+		return nil, false
+	}
+
+	cityCache.Store(ip.Str, city)
+	ip.City = city
+	return city, true
+}

internal/acl/config.go

@@ -0,0 +1,215 @@
+package acl
+
+import (
+	"net"
+	"sync"
+	"time"
+
+	"github.com/oschwald/maxminddb-golang"
+	"github.com/puzpuzpuz/xsync/v3"
+	"github.com/rs/zerolog"
+	acl "github.com/yusing/go-proxy/internal/acl/types"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/logging/accesslog"
+	"github.com/yusing/go-proxy/internal/task"
+	"github.com/yusing/go-proxy/internal/utils"
+)
+
+type Config struct {
+	Default    string                     `json:"default" validate:"omitempty,oneof=allow deny"` // default: allow
+	AllowLocal *bool                      `json:"allow_local"`                                   // default: true
+	Allow      []string                   `json:"allow"`
+	Deny       []string                   `json:"deny"`
+	Log        *accesslog.ACLLoggerConfig `json:"log"`
+
+	MaxMind *MaxMindConfig `json:"maxmind" validate:"omitempty"`
+
+	config
+}
+
+type (
+	MaxMindDatabaseType string
+	MaxMindConfig       struct {
+		AccountID  string              `json:"account_id" validate:"required"`
+		LicenseKey string              `json:"license_key" validate:"required"`
+		Database   MaxMindDatabaseType `json:"database" validate:"required,oneof=geolite geoip2"`
+
+		logger     zerolog.Logger
+		lastUpdate time.Time
+		db         struct {
+			*maxminddb.Reader
+			sync.RWMutex
+		}
+	}
+)
+
+type config struct {
+	defaultAllow bool
+	allowLocal   bool
+	allow        []matcher
+	deny         []matcher
+	ipCache      *xsync.MapOf[string, *checkCache]
+	logAllowed   bool
+	logger       *accesslog.AccessLogger
+}
+
+type checkCache struct {
+	*acl.IPInfo
+	allow   bool
+	created time.Time
+}
+
+const cacheTTL = 1 * time.Minute
+
+func (c *checkCache) Expired() bool {
+	return c.created.Add(cacheTTL).After(utils.TimeNow())
+}
+
+//TODO: add stats
+
+const (
+	ACLAllow = "allow"
+	ACLDeny  = "deny"
+)
+
+const (
+	MaxMindGeoLite MaxMindDatabaseType = "geolite"
+	MaxMindGeoIP2  MaxMindDatabaseType = "geoip2"
+)
+
+func (c *Config) Validate() gperr.Error {
+	switch c.Default {
+	case "", ACLAllow:
+		c.defaultAllow = true
+	case ACLDeny:
+		c.defaultAllow = false
+	default:
+		return gperr.New("invalid default value").Subject(c.Default)
+	}
+
+	if c.AllowLocal != nil {
+		c.allowLocal = *c.AllowLocal
+	} else {
+		c.allowLocal = true
+	}
+
+	if c.MaxMind != nil {
+		c.MaxMind.logger = logging.With().Str("type", string(c.MaxMind.Database)).Logger()
+	}
+
+	if c.Log != nil {
+		c.logAllowed = c.Log.LogAllowed
+	}
+
+	errs := gperr.NewBuilder("syntax error")
+	c.allow = make([]matcher, 0, len(c.Allow))
+	c.deny = make([]matcher, 0, len(c.Deny))
+
+	for _, s := range c.Allow {
+		m, err := c.parseMatcher(s)
+		if err != nil {
+			errs.Add(err.Subject(s))
+			continue
+		}
+		c.allow = append(c.allow, m)
+	}
+	for _, s := range c.Deny {
+		m, err := c.parseMatcher(s)
+		if err != nil {
+			errs.Add(err.Subject(s))
+			continue
+		}
+		c.deny = append(c.deny, m)
+	}
+
+	if errs.HasError() {
+		c.allow = nil
+		c.deny = nil
+		return errMatcherFormat.With(errs.Error())
+	}
+
+	c.ipCache = xsync.NewMapOf[string, *checkCache]()
+	return nil
+}
+
+func (c *Config) Valid() bool {
+	return c != nil && (len(c.allow) > 0 || len(c.deny) > 0 || c.allowLocal)
+}
+
+func (c *Config) Start(parent *task.Task) gperr.Error {
+	if c.MaxMind != nil {
+		if err := c.MaxMind.LoadMaxMindDB(parent); err != nil {
+			return err
+		}
+	}
+	if c.Log != nil {
+		logger, err := accesslog.NewAccessLogger(parent, c.Log)
+		if err != nil {
+			return gperr.New("failed to start access logger").With(err)
+		}
+		c.logger = logger
+	}
+	return nil
+}
+
+func (c *config) cacheRecord(info *acl.IPInfo, allow bool) {
+	c.ipCache.Store(info.Str, &checkCache{
+		IPInfo:  info,
+		allow:   allow,
+		created: utils.TimeNow(),
+	})
+}
+
+func (c *config) log(info *acl.IPInfo, allowed bool) {
+	if c.logger == nil {
+		return
+	}
+	if !allowed || c.logAllowed {
+		c.logger.LogACL(info, !allowed)
+	}
+}
+
+func (c *Config) IPAllowed(ip net.IP) bool {
+	if ip == nil {
+		return false
+	}
+
+	// always allow private and loopback
+	// loopback is not logged
+	if ip.IsLoopback() {
+		return true
+	}
+
+	if c.allowLocal && ip.IsPrivate() {
+		c.log(&acl.IPInfo{IP: ip, Str: ip.String()}, true)
+		return true
+	}
+
+	ipStr := ip.String()
+	record, ok := c.ipCache.Load(ipStr)
+	if ok && !record.Expired() {
+		c.log(record.IPInfo, record.allow)
+		return record.allow
+	}
+
+	ipAndStr := &acl.IPInfo{IP: ip, Str: ipStr}
+	for _, m := range c.allow {
+		if m(ipAndStr) {
+			c.log(ipAndStr, true)
+			c.cacheRecord(ipAndStr, true)
+			return true
+		}
+	}
+	for _, m := range c.deny {
+		if m(ipAndStr) {
+			c.log(ipAndStr, false)
+			c.cacheRecord(ipAndStr, false)
+			return false
+		}
+	}
+
+	c.log(ipAndStr, c.defaultAllow)
+	c.cacheRecord(ipAndStr, c.defaultAllow)
+	return c.defaultAllow
+}

internal/acl/matcher.go

@@ -0,0 +1,99 @@
+package acl
+
+import (
+	"net"
+	"strings"
+
+	acl "github.com/yusing/go-proxy/internal/acl/types"
+	"github.com/yusing/go-proxy/internal/gperr"
+)
+
+type matcher func(*acl.IPInfo) bool
+
+const (
+	MatcherTypeIP       = "ip"
+	MatcherTypeCIDR     = "cidr"
+	MatcherTypeTimeZone = "tz"
+	MatcherTypeISO      = "iso"
+)
+
+var errMatcherFormat = gperr.Multiline().AddLines(
+	"invalid matcher format, expect {type}:{value}",
+	"Available types: ip|cidr|tz|iso",
+	"ip:127.0.0.1",
+	"cidr:127.0.0.0/8",
+	"tz:Asia/Shanghai",
+	"iso:GB",
+)
+var (
+	errSyntax               = gperr.New("syntax error")
+	errInvalidIP            = gperr.New("invalid IP")
+	errInvalidCIDR          = gperr.New("invalid CIDR")
+	errMaxMindNotConfigured = gperr.New("MaxMind not configured")
+)
+
+func (cfg *Config) parseMatcher(s string) (matcher, gperr.Error) {
+	parts := strings.Split(s, ":")
+	if len(parts) != 2 {
+		return nil, errSyntax
+	}
+
+	switch parts[0] {
+	case MatcherTypeIP:
+		ip := net.ParseIP(parts[1])
+		if ip == nil {
+			return nil, errInvalidIP
+		}
+		return matchIP(ip), nil
+	case MatcherTypeCIDR:
+		_, net, err := net.ParseCIDR(parts[1])
+		if err != nil {
+			return nil, errInvalidCIDR
+		}
+		return matchCIDR(net), nil
+	case MatcherTypeTimeZone:
+		if cfg.MaxMind == nil {
+			return nil, errMaxMindNotConfigured
+		}
+		return cfg.MaxMind.matchTimeZone(parts[1]), nil
+	case MatcherTypeISO:
+		if cfg.MaxMind == nil {
+			return nil, errMaxMindNotConfigured
+		}
+		return cfg.MaxMind.matchISO(parts[1]), nil
+	default:
+		return nil, errSyntax
+	}
+}
+
+func matchIP(ip net.IP) matcher {
+	return func(ip2 *acl.IPInfo) bool {
+		return ip.Equal(ip2.IP)
+	}
+}
+
+func matchCIDR(n *net.IPNet) matcher {
+	return func(ip *acl.IPInfo) bool {
+		return n.Contains(ip.IP)
+	}
+}
+
+func (cfg *MaxMindConfig) matchTimeZone(tz string) matcher {
+	return func(ip *acl.IPInfo) bool {
+		city, ok := cfg.lookupCity(ip)
+		if !ok {
+			return false
+		}
+		return city.Location.TimeZone == tz
+	}
+}
+
+func (cfg *MaxMindConfig) matchISO(iso string) matcher {
+	return func(ip *acl.IPInfo) bool {
+		city, ok := cfg.lookupCity(ip)
+		if !ok {
+			return false
+		}
+		return city.Country.IsoCode == iso
+	}
+}

internal/acl/maxmind.go

@@ -0,0 +1,281 @@
+package acl
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/oschwald/maxminddb-golang"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/task"
+)
+
+var (
+	updateInterval = 24 * time.Hour
+	httpClient     = &http.Client{
+		Timeout: 10 * time.Second,
+	}
+	ErrResponseNotOK   = gperr.New("response not OK")
+	ErrDownloadFailure = gperr.New("download failure")
+)
+
+func dbPathImpl(dbType MaxMindDatabaseType) string {
+	if dbType == MaxMindGeoLite {
+		return filepath.Join(dataDir, "GeoLite2-City.mmdb")
+	}
+	return filepath.Join(dataDir, "GeoIP2-City.mmdb")
+}
+
+func dbURLimpl(dbType MaxMindDatabaseType) string {
+	if dbType == MaxMindGeoLite {
+		return "https://download.maxmind.com/geoip/databases/GeoLite2-City/download?suffix=tar.gz"
+	}
+	return "https://download.maxmind.com/geoip/databases/GeoIP2-City/download?suffix=tar.gz"
+}
+
+func dbFilename(dbType MaxMindDatabaseType) string {
+	if dbType == MaxMindGeoLite {
+		return "GeoLite2-City.mmdb"
+	}
+	return "GeoIP2-City.mmdb"
+}
+
+func (cfg *MaxMindConfig) LoadMaxMindDB(parent task.Parent) gperr.Error {
+	if cfg.Database == "" {
+		return nil
+	}
+
+	path := dbPath(cfg.Database)
+	reader, err := maxmindDBOpen(path)
+	exists := true
+	if err != nil {
+		switch {
+		case errors.Is(err, os.ErrNotExist):
+		default:
+			// ignore invalid error, just download it again
+			var invalidErr maxminddb.InvalidDatabaseError
+			if !errors.As(err, &invalidErr) {
+				return gperr.Wrap(err)
+			}
+		}
+		exists = false
+	}
+
+	if !exists {
+		cfg.logger.Info().Msg("MaxMind DB not found/invalid, downloading...")
+		reader, err = cfg.download()
+		if err != nil {
+			return ErrDownloadFailure.With(err)
+		}
+	}
+	cfg.logger.Info().Msg("MaxMind DB loaded")
+
+	cfg.db.Reader = reader
+	go cfg.scheduleUpdate(parent)
+	return nil
+}
+
+func (cfg *MaxMindConfig) loadLastUpdate() {
+	f, err := os.Stat(dbPath(cfg.Database))
+	if err != nil {
+		return
+	}
+	cfg.lastUpdate = f.ModTime()
+}
+
+func (cfg *MaxMindConfig) setLastUpdate(t time.Time) {
+	cfg.lastUpdate = t
+	_ = os.Chtimes(dbPath(cfg.Database), t, t)
+}
+
+func (cfg *MaxMindConfig) scheduleUpdate(parent task.Parent) {
+	task := parent.Subtask("schedule_update", true)
+	ticker := time.NewTicker(updateInterval)
+
+	cfg.loadLastUpdate()
+	cfg.update()
+
+	defer func() {
+		ticker.Stop()
+		if cfg.db.Reader != nil {
+			cfg.db.Reader.Close()
+		}
+		task.Finish(nil)
+	}()
+
+	for {
+		select {
+		case <-task.Context().Done():
+			return
+		case <-ticker.C:
+			cfg.update()
+		}
+	}
+}
+
+func (cfg *MaxMindConfig) update() {
+	// check for update
+	cfg.logger.Info().Msg("checking for MaxMind DB update...")
+	remoteLastModified, err := cfg.checkLastest()
+	if err != nil {
+		cfg.logger.Err(err).Msg("failed to check MaxMind DB update")
+		return
+	}
+	if remoteLastModified.Equal(cfg.lastUpdate) {
+		cfg.logger.Info().Msg("MaxMind DB is up to date")
+		return
+	}
+
+	cfg.logger.Info().
+		Time("latest", remoteLastModified.Local()).
+		Time("current", cfg.lastUpdate).
+		Msg("MaxMind DB update available")
+	reader, err := cfg.download()
+	if err != nil {
+		cfg.logger.Err(err).Msg("failed to update MaxMind DB")
+		return
+	}
+	cfg.db.Lock()
+	cfg.db.Close()
+	cfg.db.Reader = reader
+	cfg.setLastUpdate(*remoteLastModified)
+	cfg.db.Unlock()
+
+	cfg.logger.Info().Msg("MaxMind DB updated")
+}
+
+func (cfg *MaxMindConfig) newReq(method string) (*http.Response, error) {
+	req, err := http.NewRequest(method, dbURL(cfg.Database), nil)
+	if err != nil {
+		return nil, err
+	}
+	req.SetBasicAuth(cfg.AccountID, cfg.LicenseKey)
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+func (cfg *MaxMindConfig) checkLastest() (lastModifiedT *time.Time, err error) {
+	resp, err := newReq(cfg, http.MethodHead)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("%w: %d", ErrResponseNotOK, resp.StatusCode)
+	}
+
+	lastModified := resp.Header.Get("Last-Modified")
+	if lastModified == "" {
+		cfg.logger.Warn().Msg("MaxMind responded no last modified time, update skipped")
+		return nil, nil
+	}
+
+	lastModifiedTime, err := time.Parse(http.TimeFormat, lastModified)
+	if err != nil {
+		cfg.logger.Warn().Err(err).Msg("MaxMind responded invalid last modified time, update skipped")
+		return nil, err
+	}
+
+	return &lastModifiedTime, nil
+}
+
+func (cfg *MaxMindConfig) download() (*maxminddb.Reader, error) {
+	resp, err := newReq(cfg, http.MethodGet)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("%w: %d", ErrResponseNotOK, resp.StatusCode)
+	}
+
+	path := dbPath(cfg.Database)
+	tmpPath := path + "-tmp.tar.gz"
+	file, err := os.OpenFile(tmpPath, os.O_CREATE|os.O_WRONLY, 0o644)
+	if err != nil {
+		return nil, err
+	}
+
+	cfg.logger.Info().Msg("MaxMind DB downloading...")
+
+	_, err = io.Copy(file, resp.Body)
+	if err != nil {
+		file.Close()
+		return nil, err
+	}
+
+	file.Close()
+
+	// extract .tar.gz and move only the dbFilename to path
+	err = extractFileFromTarGz(tmpPath, dbFilename(cfg.Database), path)
+	if err != nil {
+		return nil, gperr.New("failed to extract database from archive").With(err)
+	}
+	// cleanup the tar.gz file
+	_ = os.Remove(tmpPath)
+
+	db, err := maxmindDBOpen(path)
+	if err != nil {
+		return nil, err
+	}
+	return db, nil
+}
+
+func extractFileFromTarGz(tarGzPath, targetFilename, destPath string) error {
+	f, err := os.Open(tarGzPath)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	gzr, err := gzip.NewReader(f)
+	if err != nil {
+		return err
+	}
+	defer gzr.Close()
+
+	tr := tar.NewReader(gzr)
+	for {
+		hdr, err := tr.Next()
+		if err == io.EOF {
+			break // End of archive
+		}
+		if err != nil {
+			return err
+		}
+		// Only extract the file that matches targetFilename (basename match)
+		if filepath.Base(hdr.Name) == targetFilename {
+			outFile, err := os.OpenFile(destPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, hdr.FileInfo().Mode())
+			if err != nil {
+				return err
+			}
+			defer outFile.Close()
+			_, err = io.Copy(outFile, tr)
+			if err != nil {
+				return err
+			}
+			return nil // Done
+		}
+	}
+	return fmt.Errorf("file %s not found in archive", targetFilename)
+}
+
+var (
+	dataDir       = common.DataDir
+	dbURL         = dbURLimpl
+	dbPath        = dbPathImpl
+	maxmindDBOpen = maxminddb.Open
+	newReq        = (*MaxMindConfig).newReq
+)

internal/acl/maxmind_test.go

@@ -0,0 +1,213 @@
+package acl
+
+import (
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/oschwald/maxminddb-golang"
+	"github.com/rs/zerolog"
+	"github.com/yusing/go-proxy/internal/task"
+)
+
+func Test_dbPath(t *testing.T) {
+	tmpDataDir := "/tmp/testdata"
+	oldDataDir := dataDir
+	dataDir = tmpDataDir
+	defer func() { dataDir = oldDataDir }()
+
+	tests := []struct {
+		name   string
+		dbType MaxMindDatabaseType
+		want   string
+	}{
+		{"GeoLite", MaxMindGeoLite, filepath.Join(tmpDataDir, "GeoLite2-City.mmdb")},
+		{"GeoIP2", MaxMindGeoIP2, filepath.Join(tmpDataDir, "GeoIP2-City.mmdb")},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := dbPath(tt.dbType); got != tt.want {
+				t.Errorf("dbPath() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func Test_dbURL(t *testing.T) {
+	tests := []struct {
+		name   string
+		dbType MaxMindDatabaseType
+		want   string
+	}{
+		{"GeoLite", MaxMindGeoLite, "https://download.maxmind.com/geoip/databases/GeoLite2-City/download?suffix=tar.gz"},
+		{"GeoIP2", MaxMindGeoIP2, "https://download.maxmind.com/geoip/databases/GeoIP2-City/download?suffix=tar.gz"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := dbURL(tt.dbType); got != tt.want {
+				t.Errorf("dbURL() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+// --- Helper for MaxMindConfig ---
+type testLogger struct{ zerolog.Logger }
+
+func (testLogger) Info() *zerolog.Event       { return &zerolog.Event{} }
+func (testLogger) Warn() *zerolog.Event       { return &zerolog.Event{} }
+func (testLogger) Err(_ error) *zerolog.Event { return &zerolog.Event{} }
+
+func Test_MaxMindConfig_newReq(t *testing.T) {
+	cfg := &MaxMindConfig{
+		AccountID:  "testid",
+		LicenseKey: "testkey",
+		Database:   MaxMindGeoLite,
+		logger:     zerolog.Nop(),
+	}
+
+	// Patch httpClient to use httptest
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if u, p, ok := r.BasicAuth(); !ok || u != "testid" || p != "testkey" {
+			t.Errorf("basic auth not set correctly")
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+	oldURL := dbURL
+	dbURL = func(MaxMindDatabaseType) string { return server.URL }
+	defer func() { dbURL = oldURL }()
+
+	resp, err := cfg.newReq(http.MethodGet)
+	if err != nil {
+		t.Fatalf("newReq() error = %v", err)
+	}
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("unexpected status: %v", resp.StatusCode)
+	}
+}
+
+func Test_MaxMindConfig_checkUpdate(t *testing.T) {
+	cfg := &MaxMindConfig{
+		AccountID:  "id",
+		LicenseKey: "key",
+		Database:   MaxMindGeoLite,
+		logger:     zerolog.Nop(),
+	}
+	lastMod := time.Now().UTC().Format(http.TimeFormat)
+	buildTime := time.Now().Add(-time.Hour)
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Last-Modified", lastMod)
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+	oldURL := dbURL
+	dbURL = func(MaxMindDatabaseType) string { return server.URL }
+	defer func() { dbURL = oldURL }()
+
+	latest, err := cfg.checkLastest()
+	if err != nil {
+		t.Fatalf("checkUpdate() error = %v", err)
+	}
+	if latest.Equal(buildTime) {
+		t.Errorf("expected update needed")
+	}
+}
+
+type fakeReadCloser struct {
+	firstRead bool
+	closed    bool
+}
+
+func (c *fakeReadCloser) Read(p []byte) (int, error) {
+	if !c.firstRead {
+		c.firstRead = true
+		return strings.NewReader("FAKEMMDB").Read(p)
+	}
+	return 0, io.EOF
+}
+
+func (c *fakeReadCloser) Close() error {
+	c.closed = true
+	return nil
+}
+
+func Test_MaxMindConfig_download(t *testing.T) {
+	cfg := &MaxMindConfig{
+		AccountID:  "id",
+		LicenseKey: "key",
+		Database:   MaxMindGeoLite,
+		logger:     zerolog.Nop(),
+	}
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		io.Copy(w, strings.NewReader("FAKEMMDB"))
+	}))
+	defer server.Close()
+	oldURL := dbURL
+	dbURL = func(MaxMindDatabaseType) string { return server.URL }
+	defer func() { dbURL = oldURL }()
+
+	tmpDir := t.TempDir()
+	oldDataDir := dataDir
+	dataDir = tmpDir
+	defer func() { dataDir = oldDataDir }()
+
+	// Patch maxminddb.Open to always succeed
+	origOpen := maxmindDBOpen
+	maxmindDBOpen = func(path string) (*maxminddb.Reader, error) {
+		return &maxminddb.Reader{}, nil
+	}
+	defer func() { maxmindDBOpen = origOpen }()
+
+	rw := &fakeReadCloser{}
+	oldNewReq := newReq
+	newReq = func(cfg *MaxMindConfig, method string) (*http.Response, error) {
+		return &http.Response{
+			StatusCode: http.StatusOK,
+			Body:       rw,
+		}, nil
+	}
+	defer func() { newReq = oldNewReq }()
+
+	db, err := cfg.download()
+	if err != nil {
+		t.Fatalf("download() error = %v", err)
+	}
+	if db == nil {
+		t.Error("expected db instance")
+	}
+	if !rw.closed {
+		t.Error("expected rw to be closed")
+	}
+}
+
+func Test_MaxMindConfig_loadMaxMindDB(t *testing.T) {
+	// This test should cover both the path where DB exists and where it does not
+	// For brevity, only the non-existing path is tested here
+	cfg := &MaxMindConfig{
+		AccountID:  "id",
+		LicenseKey: "key",
+		Database:   MaxMindGeoLite,
+		logger:     zerolog.Nop(),
+	}
+	oldOpen := maxmindDBOpen
+	maxmindDBOpen = func(path string) (*maxminddb.Reader, error) {
+		return &maxminddb.Reader{}, nil
+	}
+	defer func() { maxmindDBOpen = oldOpen }()
+
+	oldDBPath := dbPath
+	dbPath = func(MaxMindDatabaseType) string { return filepath.Join(t.TempDir(), "maxmind.mmdb") }
+	defer func() { dbPath = oldDBPath }()
+
+	task := task.RootTask("test")
+	defer task.Finish(nil)
+	err := cfg.LoadMaxMindDB(task)
+	if err != nil {
+		t.Errorf("loadMaxMindDB() error = %v", err)
+	}
+}

internal/acl/tcp_listener.go

@@ -0,0 +1,46 @@
+package acl
+
+import (
+	"net"
+)
+
+type TCPListener struct {
+	acl *Config
+	lis net.Listener
+}
+
+func (cfg *Config) WrapTCP(lis net.Listener) net.Listener {
+	if cfg == nil {
+		return lis
+	}
+	return &TCPListener{
+		acl: cfg,
+		lis: lis,
+	}
+}
+
+func (s *TCPListener) Addr() net.Addr {
+	return s.lis.Addr()
+}
+
+func (s *TCPListener) Accept() (net.Conn, error) {
+	c, err := s.lis.Accept()
+	if err != nil {
+		return nil, err
+	}
+	addr, ok := c.RemoteAddr().(*net.TCPAddr)
+	if !ok {
+		// Not a TCPAddr, drop
+		c.Close()
+		return nil, nil
+	}
+	if !s.acl.IPAllowed(addr.IP) {
+		c.Close()
+		return nil, nil
+	}
+	return c, nil
+}
+
+func (s *TCPListener) Close() error {
+	return s.lis.Close()
+}

internal/acl/types/city_info.go

@@ -0,0 +1,10 @@
+package acl
+
+type City struct {
+	Location struct {
+		TimeZone string `maxminddb:"time_zone"`
+	} `maxminddb:"location"`
+	Country struct {
+		IsoCode string `maxminddb:"iso_code"`
+	} `maxminddb:"country"`
+}

internal/acl/types/ip_info.go

@@ -0,0 +1,9 @@
+package acl
+
+import "net"
+
+type IPInfo struct {
+	IP   net.IP
+	Str  string
+	City *City
+}

internal/acl/udp_listener.go

@@ -0,0 +1,79 @@
+package acl
+
+import (
+	"net"
+	"time"
+)
+
+type UDPListener struct {
+	acl *Config
+	lis net.PacketConn
+}
+
+func (cfg *Config) WrapUDP(lis net.PacketConn) net.PacketConn {
+	if cfg == nil {
+		return lis
+	}
+	return &UDPListener{
+		acl: cfg,
+		lis: lis,
+	}
+}
+
+func (s *UDPListener) LocalAddr() net.Addr {
+	return s.lis.LocalAddr()
+}
+
+func (s *UDPListener) ReadFrom(p []byte) (int, net.Addr, error) {
+	for {
+		n, addr, err := s.lis.ReadFrom(p)
+		if err != nil {
+			return n, addr, err
+		}
+		udpAddr, ok := addr.(*net.UDPAddr)
+		if !ok {
+			// Not a UDPAddr, drop
+			continue
+		}
+		if !s.acl.IPAllowed(udpAddr.IP) {
+			// Drop packet from disallowed IP
+			continue
+		}
+		return n, addr, nil
+	}
+}
+
+func (s *UDPListener) WriteTo(p []byte, addr net.Addr) (int, error) {
+	for {
+		n, err := s.lis.WriteTo(p, addr)
+		if err != nil {
+			return n, err
+		}
+		udpAddr, ok := addr.(*net.UDPAddr)
+		if !ok {
+			// Not a UDPAddr, drop
+			continue
+		}
+		if !s.acl.IPAllowed(udpAddr.IP) {
+			// Drop packet to disallowed IP
+			continue
+		}
+		return n, nil
+	}
+}
+
+func (s *UDPListener) SetDeadline(t time.Time) error {
+	return s.lis.SetDeadline(t)
+}
+
+func (s *UDPListener) SetReadDeadline(t time.Time) error {
+	return s.lis.SetReadDeadline(t)
+}
+
+func (s *UDPListener) SetWriteDeadline(t time.Time) error {
+	return s.lis.SetWriteDeadline(t)
+}
+
+func (s *UDPListener) Close() error {
+	return s.lis.Close()
+}