Use the IP Restriction policy to restrict access based on the client IP address of the request. If the request does not meet the configured requirements, it is rejected with a 403 Forbidden error.
Restricting access to Tasks based on the client’s IP address is an extra layer of security for protecting your Snaplex nodes. By analyzing the access logs on the nodes, you can determine the range of IP addresses in use, and you can configure this policy accordingly.
Note | title | Load Balancer Prerequisite
---|
Info |
We return the IP address of the client or last proxy that sent the request. |
Note | ||
---|---|---|
| ||
You must configure the Groundplex load balancer correctly to forward the client IP address to the API endpoint. Only when the client IP address is captured correctly can the blocked IP address be displayed accurately in the error message for the 403 error. |
NOTE: You cannot use request.remoteUser
or request.isUserInRole()
functions with the Early Request Validator policy, which is applied before authentication. Instead, use the Authorized Request Validator policy and set the Condition parameter to the Boolean returned by these functions.
Policy Execution Order
This IP Restriction policy executes early in request processing to limit the effects of excessive requests from blocked IP addresses.
Multiexcerpt include macro | ||||
---|---|---|---|---|
|
Parameter Name | Description | Default Value | Example |
---|---|---|---|
Label | Required. The name for the API policy. | IP Restriction | IP-Restriction-DevShared |
When this policy should be applied | An expression-enabled field that determines the condition to be fulfilled for the API policy to execute. | True | request.method == “POST” |
Allowlist IPs | The list of IP ranges that are to be allowed. If empty, only the Denylist ranges will be considered. | N/A | N/A |
Start IP | The starting IP address of the range. | N/A | 203.0.113.0 |
End IP | The ending IP address of the range (inclusive). If this value is not given, the starting IP will be used, effectively allowing only that IP address. | N/A | 203.0.113.8 |
Description | The description of the range. | N/A | DevShared |
Denylist IPs | The list of IP ranges that are to be blocked. If there are also IPs on the Allowlist, the Denylist takes precedence. | N/A | N/A |
Start IP | The starting IP address of the range. | N/A | 192.0.2.10 |
End IP | The ending IP address of the range (inclusive). If this value is not given, the starting IP will be used, effectively allowing only that IP address. | N/A | 192.0.2.11 |
Description | The description of the range. | N/A | 3rd_party_users |