Nav

IP Whitelist

The IP Whitelist policy allows a list or range of IP addresses to access and interact with a configured API endpoint.

Whitelisting IP addresses to access your API endpoint

You can set up access in the following ways:

  • Access based on the IP address of the request

  • Access based on the origin IP address of the x-Forwarded-For header

Whitelisting Based on the IP address of the Request

You can specify an address or a range or addresses as follows:

  • Define a specific IP address. For example, 192.168.1.1.

  • Define a subset of addresses by identifying a subnet mask, such as 192.168.3.1/30. This includes the consolidated range: 192.168.3.0 - 192.168.3.3.

  • Define a whole range of IP addresses by stating the relevant octets of the IP address you want to permit. For example, setting 192.168 will include IP addresses from 192.168.0.0 to 192.168.255.255.

To whitelist a list of IP addresses:

  1. Enter one or more IP addresses in Whitelist.

    ip-whitelist-051a0
  2. Click +.

    The greyed-out IP address and a deletion control appears below the Whitelist text entry field.

    ip-whitelist-1b671
  3. Click Apply.

Whitelisting Based on the Origin IP Address of the x-Forwarded-For Header

If a client connects to an API through an HTTP proxy or a load-balancer, you might want to whitelist your client’s specific IP, which is the IP originating the request, instead of the address that appears in the request. This is the case for APIs deployed in CloudHub per the architecture illustrated in CloudHub Networking Guide For example, if you want to whitelist 192.168.2.3 and this client is connecting through HTTP proxy 92.40.1.255, the request appears with the latter, public address. As a workaround, use the X-Forwarded-For header to identify the origin IP addresses of a request that was redirected to your endpoint.

To whitelist the IP address of an originating request using X-Forwarded-For header:

  1. In the Apply "IP whitelist" policy dialog, use a Mule expression in IP Expression to instruct the service to look for the originating IP address in the 'x-Forwarded-For' header of the Mule message:

    #[message.inboundProperties.'X-Forwarded-For’]
  2. In Whitelist, enter one or more IP addresses that appear in the request. Click +.

  3. Click Apply.

API Manager looks at the first IP address that ranks in the concatenated values of the 'X-Forwarded-For' header of the request.