Restrict IP Addresses from APIs
You can configure access controls based on IP addresses to prevent unwanted users from accessing your APIs.
This guide will walk you through configuring the ip-restriction plugin on a gateway group to block IP addresses in a blacklist. If a request comes from an IP address in the blacklist, the API7 Gateway will deny the request with a 403 response code. The IP address of the request can be either the actual client IP address or the X-Forwarded-For address.
Prerequisite(s)
- Have at least one gateway instance in your gateway group.
Configure IP Address Restriction on a Gateway Group
When malicious actors are identified, add their IP addresses to the blacklist to restrict their access to your APIs.
- Dashboard
- ADC
Select the gateway group where your service is located.
Select Plugin Settings from the side navigation bar and select Plugin Global Rules.
In the Plugins field, search for the
ip-restrictionplugin.Click the Plus icon (+).
In the dialog box that appeared, add the following configuration to the JSON Editor to add the IP address
127.0.0.1to the blacklist:{
"blacklist": ["127.0.0.1"],
"message": "Sorry, your IP address is not allowed."
}Click Enable.
To use ADC to configure IP restriction, create the following configuration:
services:
- name: httpbin API
upstream:
name: default
scheme: http
nodes:
- host: httpbin.org
port: 80
weight: 100
routes:
- uris:
- /ip
name: security-ip
methods:
- GET
global_rules:
ip-restriction:
_meta:
disable: false
blacklist:
- 127.0.0.1
message: Sorry, your IP address is not allowed.
Synchronize the configuration to API7 Enterprise:
adc sync -f adc.yaml
Validate
Send a request from the restricted IP address. For this example, 127.0.0.1 was configured as a blacklisted IP address:
curl -i "http://127.0.0.1:9080/ip"
You will receive a 503 Service Temporarily Unavailable response with the following message:
{"error_msg":"Sorry, your IP address is not allowed."}