- policyRef: name: ip-blocklist-flex config: ips: <array> // REQUIRED ipExpression: <string> // OPTIONAL, default: "#[attributes.headers['x-forwarded-for']]"
IP Blocklist Policy
Policy Name |
IP Blocklist |
Summary |
Blocks a single IP address or a range of IP addresses from accessing an API endpoint |
Category |
Security |
First Flex Gateway version available |
v1.0.0 |
Returned Status Codes |
403 - IP is rejected |
Summary
The IP Blocklist policy controls access to a configured API endpoint from either a single IP address or a range of IP addresses.
The IP Blocklist policy restricts access to a protected resource when a match is found between a source IP (specified when configuring the policy) and either a list of individual IPs or a range of IPs. The policy supports both IPv4 and IPv6 addresses.
DataWeave 2.0 expressions define the source IP to be used when the policy tries to determine whether the IP belongs to the restricted IP list defined in the policy.
Configuring Policy Parameters
Flex Gateway Local Mode
In Local Mode, you apply the IP Blocklist policy to your API via declarative configuration files. Refer to the following policy definition and table of parameters:
Parameter | Required or Optional | Default Value | Description |
---|---|---|---|
|
Required |
N/A |
The list of IP addresses blocked from the API. You can define one IP or IP range at a time, as many times as required. For more information, see Specifying IP Addresses to Blocklist in the Policy. |
|
Optional |
|
The DataWeave 2.0 expression to be used for extracting the IP address from this API request |
Flex Gateway Connected Mode
When you apply the IP Blocklist policy to your API from the UI, configure the following parameters:
Parameter | Description |
---|---|
IP expression |
The DataWeave 2.0 expression used for extracting the IP address from this API request. |
Blocklist |
The list of IP addresses blocked from the API. You can define one IP or IP range at a time, as many times as required. For more information, see Specifying IP Addresses to Blocklist in the Policy. |
Method & Resource conditions |
The option to add configurations either to a select few or to all methods and resources of the API. |
Specifying IP Addresses to Blocklist in the Policy
Specify IP addresses to block in your policy based on:
-
The IP address of the request.
-
The origin IP address that is determined by resolving a specific DataWeave expression, such as the x-Forwarded-For header.
-
Any other origin.
Blocklist Access Based on the IP Address of the Request
Blocklist access based on the IP address of the request in any of the following ways:
-
Define a specific IP address by enumerating it in the white space, for example,
192.168.1.1
. -
Define a subset of addresses by identifying a subnet mask, for example,
192.168.3.1/30
includes the consolidated range192.168.3.0
through192.168.3.3
. -
Define a whole range of IP addresses by specifying the relevant octets of the IP address that you want to permit, for example, setting
192.168
will include IP addresses from192.168.0.0
through192.168.255.255
.
Blocklist Access Based on the Origin IP Address of the x-Forwarded-For Header
If the client connects to your API through an HTTP proxy or a load balancer, you can blocklist the client’s specific IP address (the IP address originating the request) instead of the address that appears in the request
For example, if you want to blocklist 192.168.2.3
and the address of a client connecting through an HTTP proxy is 92.40.1.255
, the client requests appear with the public address using the proxy.
Typically, applications use the X-Forwarded-For
header to identify the origin IP addresses of a request that was redirected to your endpoint.
You can use a DataWeave 2.0 expression in the policy to instruct the service to look for the IP address in the x-Forwarded-For
header.
When you insert the IP address in the IP expression field of the policy parameters, Anypoint Platform is instructed to look for the starting IP address in the concatenated values of the x-Forwarded-For
header of the request.