4.6 KiB
title |
---|
ip-restriction |
Summary
Name
The ip-restriction
can restrict access to a Service or a Route by either
whitelisting or blacklisting IP addresses. Single IPs, multiple IPs or ranges
in CIDR notation like 10.10.10.0/24 can be used.
Attributes
Name | Type | Requirement | Default | Valid | Description |
---|---|---|---|---|---|
whitelist | array[string] | optional | List of IPs or CIDR ranges to whitelist. | ||
blacklist | array[string] | optional | List of IPs or CIDR ranges to blacklist. | ||
message | string | optional | Your IP address is not allowed. | [1, 1024] | Message returned in case IP access is not allowed. |
One of whitelist
or blacklist
must be specified, and they can not work together.
The message can be user-defined.
How To Enable
Creates a route or service object, and enable plugin ip-restriction
.
curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/index.html",
"upstream": {
"type": "roundrobin",
"nodes": {
"127.0.0.1:1980": 1
}
},
"plugins": {
"ip-restriction": {
"whitelist": [
"127.0.0.1",
"113.74.26.106/24"
]
}
}
}'
Default returns {"message":"Your IP address is not allowed"}
when unallowed IP access. If you want to use a custom message, you can configure it in the plugin section.
"plugins": {
"ip-restriction": {
"whitelist": [
"127.0.0.1",
"113.74.26.106/24"
],
"message": "Do you want to do something bad?"
}
}
Test Plugin
Requests from 127.0.0.1
:
$ curl http://127.0.0.1:9080/index.html -i
HTTP/1.1 200 OK
...
Requests from 127.0.0.2
:
$ curl http://127.0.0.1:9080/index.html -i --interface 127.0.0.2
HTTP/1.1 403 Forbidden
...
{"message":"Your IP address is not allowed"}
Change the restriction
When you want to change the whitelisted ip, it is very simple, you can send the corresponding json configuration in the plugin configuration, no need to restart the service, it will take effect immediately:
curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/index.html",
"upstream": {
"type": "roundrobin",
"nodes": {
"127.0.0.1:1980": 1
}
},
"plugins": {
"ip-restriction": {
"whitelist": [
"127.0.0.2",
"113.74.26.106/24"
]
}
}
}'
Test Plugin after restriction change
Requests from 127.0.0.2
:
$ curl http://127.0.0.2:9080/index.html -i --interface 127.0.0.2
HTTP/1.1 200 OK
...
Requests from 127.0.0.1
:
$ curl http://127.0.0.1:9080/index.html -i
HTTP/1.1 403 Forbidden
...
{"message":"Your IP address is not allowed"}
Disable Plugin
When you want to disable the ip-restriction
plugin, it is very simple,
you can delete the corresponding json configuration in the plugin configuration,
no need to restart the service, it will take effect immediately:
$ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d value='
{
"uri": "/index.html",
"plugins": {},
"upstream": {
"type": "roundrobin",
"nodes": {
"39.97.63.215:80": 1
}
}
}'
The ip-restriction
plugin has been disabled now. It works for other plugins.