Nav

To Apply IP Whitelist (Nov 2017 and Jul 2017)

The IP Whitelist policy allows a list or range of IP addresses to access and interact with a configured API endpoint.

Whitelisting IP addresses to access your API endpoint

You can set up access in the following ways:

  • Access based on the IP address of the request

  • Access based on the origin IP address of the x-Forwarded-For header

Whitelisting Based on the IP address of the Request

  1. Click the version (Nov 2017) or instance (Jul 2017) number of an API.

  2. On the API dashboard, click Policies.

    The list of any applied policies appears.

  3. In Apply New Policy.

  4. In Select Policy, choose IP Whitelist, and click Configure Policy.

  5. Specify an address or a range or addresses as follows:

    • Define a specific IP address. For example, 192.168.1.1.

    • Define a subset of addresses by identifying a subnet mask, such as 192.168.3.1/30. This includes the consolidated range: 192.168.3.0 - 192.168.3.3.

    • Define a whole range of IP addresses by stating the relevant octets of the IP address you want to permit. For example, setting 192.168 will include IP addresses from 192.168.0.0 to 192.168.255.255.

To whitelist a list of IP addresses:

  1. Enter one or more IP addresses in Whitelist.

    ip-whitelist-051a0
  2. Click +.

    The greyed-out IP address and a deletion control appears below the Whitelist text entry field.

    ip-whitelist-1b671
  3. Click Apply.

Whitelisting Based on the Origin IP Address of the x-Forwarded-For Header

If a client connects to an API through an HTTP proxy or a load-balancer, you might want to whitelist your client’s specific IP, which is the IP originating the request, instead of the address that appears in the request. For example, if you want to whitelist 192.168.2.3 and this client is connecting through HTTP proxy 92.40.1.255, the request appears with the latter, public address. As a workaround, use the X-Forwarded-For header to identify the origin IP addresses of a request that was redirected to your endpoint.

To whitelist the IP address of an originating request using X-Forwarded-For header:

  1. In Apply "IP whitelist" Policy, use a Mule expression in IP Expression to instruct the service to look for the originating IP address in the 'x-Forwarded-For' header of the Mule message:

    #[message.inboundProperties.'X-Forwarded-For’]
  2. In Whitelist, enter one or more IP addresses that appear in the request. Click +.

  3. Click Apply.

API Manager looks at the first IP address that ranks in the concatenated values of the 'X-Forwarded-For' header of the request.