Skip to main content
Version: 2.13.2304

IP Restriction

API Gateway supports IP Ranges or multiple IP, refer to https://apisix.apache.org/docs/apisix/plugins/ip-restriction/

Prepare environment

Please refer to API7 EE Introduction to complete the environment preparation.

Configure the IP Restriction plugin

Create a plugin template with the ip-restriction plugin enabled with the following configuration as described in API7 EE Introduction.

Whitelist:

{
  "whitelist": ["127.0.0.1"]
}

Blacklist:

{
  "blacklist": ["172.17.0.1"]
}

Custom error message:

{
  "blacklist": ["172.17.0.1"],
  "message": "Unable to access this application"
}

Next we will test black and white lists and custom error messages separately.

Test

Whitelist

Since the demo environment uses the Docker bridge, which generally has an IP rule of 172.x.x.x, traffic will flow from the IP of 172.x.0.1, which acts as the gateway, to APISIX. so we use 127.0.0.1 as the whitelist and it will fail.

curl 127.0.0.1/anything -i -H "Host: example.com"
HTTP/1.1 403 Forbidden
Date: Fri, 10 Mar 2023 09:03:24 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.13.2304

{"message":"Your IP address is not allowed"}

When I go inside the container and request it using 127.0.0.1, it will succeed.

docker exec <container id> curl 127.0.0.1/anything -is -H "Host: example.com"
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 393
Connection: keep-alive
Date: Fri, 10 Mar 2023 09:05:12 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Server: APISIX/2.13.2304

{
  "args": {}, 
  "data": "", 
  "files": {}, 
  "form": {}, 
  "headers": {
    "Accept": "*/*", 
    "Host": "example.com", 
    "User-Agent": "curl/7.29.0", 
    "X-Amzn-Trace-Id": "Root=1-640af2c8-77c5412e2016b0a130009e43", 
    "X-Forwarded-Host": "example.com"
  }, 
  "json": null, 
  "method": "GET", 
  "origin": "127.0.0.1, 146.190.80.65", 
  "url": "http://example.com/anything"
}

Blacklist

First you need to modify the configuration in the plugin template.

curl 127.0.0.1/anything -i -H "Host: example.com"
HTTP/1.1 403 Forbidden
Date: Fri, 10 Mar 2023 09:06:55 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.13.2304

{"message":"Your IP address is not allowed"}
docker exec <container id> curl 127.0.0.1/anything -is -H "Host: example.com"
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 393
Connection: keep-alive
Date: Fri, 10 Mar 2023 09:08:13 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Server: APISIX/2.13.2304

{
  "args": {}, 
  "data": "", 
  "files": {}, 
  "form": {}, 
  "headers": {
    "Accept": "*/*", 
    "Host": "example.com", 
    "User-Agent": "curl/7.29.0", 
    "X-Amzn-Trace-Id": "Root=1-640af37d-1de060e123cc72870a6cae03", 
    "X-Forwarded-Host": "example.com"
  }, 
  "json": null, 
  "method": "GET", 
  "origin": "127.0.0.1, 146.190.80.65", 
  "url": "http://example.com/anything"
}

Custom error message

curl 127.0.0.1/anything -i -H "Host: example.com"
HTTP/1.1 403 Forbidden
Date: Fri, 10 Mar 2023 10:16:24 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.13.2304

{"message":"Unable to access this application"}
API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud
API7 Enterprise
API Portal
Roadmap

Open Source

Apache APISIX
K8s Ingress Controller
wasm-nginx-module
Contributor Graph

Resources

Blog
Documentation
NGINX + Lua
APISIX vs Kong
APISIX vs NGINX

Company

About
Contact
Compliance Standards
Partners
Terms & Privacy
SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN Ltd. 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation