Block Bad IP Addresses from APIs

To secure APIs against attacks from banned IP addresses, you can configure a blacklist of IP addresses to block requests from those specific IP addresses.

In this guide, you will enable ip-restriction plugin as a global rule to build up a shared IP address blacklist. If an IP address is in the blacklist, the request is denied with a 403 error response. The IP address checked against the list could be the direct client IP address or X-Forwarded-For address based on proxy levels.

Prerequisites

1. Obtain a user account with Super Admin or API Provider role.
2. Publish a service.

Set Up Shared IP Address Blacklist for All APIs

Once you recognize a malicious IP address is attacking one of your API, add this IP address to a shared blacklist to protect other APIs.

1. Select Gateway Groups from the side navigation bar and then select Test Group.

2. In the Plugins field, search the ip-restriction plugin.

3. Click the Plus icon (+) and a dialog box appears.

4. Apply the following configurations to add the IP address 127.0.0.1 to the blacklist:

   {
     "blacklist": ["127.0.0.1"],
     "message": "Sorry, your IP address is not allowed."
   }

5. Click Enable.

Validate

Send an API request:

curl -i "http://127.0.0.1:9080/pet/1" 

Since the IP address is restricted by the blacklist, at this point, you will see the following output:

HTTP/1.1 503 Service Temporarily Unavailable
Date: Fri, 01 Sep 2023 03:48:27 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-RateLimit-Limit: 3
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 0
Server: APISIX/dev

{"error_msg":"Sorry, your IP address is not allowed."}