Skip to content

Latest commit

 

History

History
173 lines (143 loc) · 4.6 KB

ip-restriction.md

File metadata and controls

173 lines (143 loc) · 4.6 KB
title
ip-restriction

Summary

Name

The ip-restriction can restrict access to a Service or a Route by either whitelisting or blacklisting IP addresses. Single IPs, multiple IPs or ranges in CIDR notation like 10.10.10.0/24 can be used.

Attributes

Name Type Requirement Default Valid Description
whitelist array[string] optional List of IPs or CIDR ranges to whitelist.
blacklist array[string] optional List of IPs or CIDR ranges to blacklist.
message string optional Your IP address is not allowed. [1, 1024] Message returned in case IP access is not allowed.

One of whitelist or blacklist must be specified, and they can not work together. The message can be user-defined.

How To Enable

Creates a route or service object, and enable plugin ip-restriction.

curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "uri": "/index.html",
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "127.0.0.1:1980": 1
        }
    },
    "plugins": {
        "ip-restriction": {
            "whitelist": [
                "127.0.0.1",
                "113.74.26.106/24"
            ]
        }
    }
}'

Default returns {"message":"Your IP address is not allowed"} when unallowed IP access. If you want to use a custom message, you can configure it in the plugin section.

"plugins": {
    "ip-restriction": {
        "whitelist": [
            "127.0.0.1",
            "113.74.26.106/24"
        ],
        "message": "Do you want to do something bad?"
    }
}

Test Plugin

Requests from 127.0.0.1:

$ curl http://127.0.0.1:9080/index.html -i
HTTP/1.1 200 OK
...

Requests from 127.0.0.2:

$ curl http://127.0.0.1:9080/index.html -i --interface 127.0.0.2
HTTP/1.1 403 Forbidden
...
{"message":"Your IP address is not allowed"}

Change the restriction

When you want to change the whitelisted ip, it is very simple, you can send the corresponding json configuration in the plugin configuration, no need to restart the service, it will take effect immediately:

curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "uri": "/index.html",
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "127.0.0.1:1980": 1
        }
    },
    "plugins": {
        "ip-restriction": {
            "whitelist": [
                "127.0.0.2",
                "113.74.26.106/24"
            ]
        }
    }
}'

Test Plugin after restriction change

Requests from 127.0.0.2:

$ curl http://127.0.0.2:9080/index.html -i --interface 127.0.0.2
HTTP/1.1 200 OK
...

Requests from 127.0.0.1:

$ curl http://127.0.0.1:9080/index.html -i
HTTP/1.1 403 Forbidden
...
{"message":"Your IP address is not allowed"}

Disable Plugin

When you want to disable the ip-restriction plugin, it is very simple, you can delete the corresponding json configuration in the plugin configuration, no need to restart the service, it will take effect immediately:

$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "uri": "/index.html",
    "plugins": {},
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "39.97.63.215:80": 1
        }
    }
}'

The ip-restriction plugin has been disabled now. It works for other plugins.