IP Blacklist

Policy Name

IP Blacklist

Summary

Blocks a single IP address or a range of IP addresses from accessing an API endpoint

Category

Security

First Mule version available

v3.8.0

Returned Status Codes

403 - IP is rejected

The IP Blacklist policy controls access to a configured API endpoint from a single IP address or a range of IP addresses.

The IP Blacklist policy restricts access to a protected resource when a match is found between a source IP (specified when configuring the policy) and a list of individual IPs or range of IPs.

Based on your business need, you can specify a DataWeave 2.0 expression for Mule runtime engine 4 (Mule) or MEL expression for Mule 3. You specify the expression to define the source IP to be used when the policy tries to determine whether the IP belongs to the restricted IP list defined in the policy.

Specifying IP Addresses to Blacklist in the Policy

You can specify the IP addresses to block in the policy in the following ways:

  • Blacklist access based on the IP address of the request.

  • Blacklist access based on the origin IP address that is determined by resolving a specific DataWeave or MEL expression, such as the x-Forwarded-For header.

  • Any other origin.

Blacklist Access Based on the IP Address of the Request

To blacklist access based on the IP address of the request, you can:

  • Define a specific IP address by enumerating it in the white space, for example, 192.168.1.1.

  • Define a subset of addresses by identifying a subnet mask.

    For example, 192.168.3.1/30 includes the consolidated range 192.168.3.0 through 192.168.3.3.

  • Define a whole range of IP addresses by specifying the relevant octets of the IP address that you want to permit.

    For example, setting 192.168 will include IP addresses from 192.168.0.0 through 192.168.255.255.

Blacklist Access Based on the Origin IP Address of the x-Forwarded-For Header

If the client connects to your API through an HTTP proxy or a load balancer, you can blacklist the client’s specific IP address (the IP address originating the request) instead of the address that appears in the request

For example, if you want to blacklist 192.168.2.3 and the address of a client connecting through an HTTP proxy is 92.40.1.255, the client requests appear with the public address using the proxy.

Typically, applications use the X-Forwarded-For header to identify the origin IP addresses of a request that was redirected to your endpoint.

You can use a DataWeave 2.0 or MEL expression to instruct the service to look for the IP address in the 'x-Forwarded-For' header:

#[message.inboundProperties['http.headers']['X-Forwarded-For']]

When you insert the IP address in the IP expression field of the policy parameters, Anypoint Platform is instructed to look at the first IP address that ranks in the concatenated values of the x-Forwarded-For header of the request:

ip+blacklist+ip_expression

Configuring Policy Parameters

When you apply the IP Blacklist policy to your API from the UI, you can configure the following parameters:

Parameter Description

IP expression

The DataWeave 2.0 or MEL expression to be used for extracting the IP address from this API request.

Blacklist

The list of IP addresses blocked from the API. You can define one IP or an IP range at a time, as many times required. For more information, see Specifying IP Addresses to Blacklist in the Policy.

Method & Resource conditions

The option to add configurations to only a select few or all methods and resources of the API.

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub