Block Bad IP Addresses from APIs
To secure APIs against attacks from banned IP addresses, you can configure a blacklist of IP addresses to block requests from those specific IP addresses.
In this guide, you will enable ip-restriction
plugin as a global rule to build up a shared IP address blacklist. If an IP address is in the blacklist, the request is denied with a 403
error response. The IP address checked against the list could be the direct client IP address or X-Forwarded-For address based on proxy levels.
Prerequisites
- Obtain a user account with Super Admin or API Provider role.
- Publish a service.
Set Up Shared IP Address Blacklist for All APIs
Once you recognize a malicious IP address is attacking one of your API, it is better to add this IP address to a shared blacklist to protect other APIs.
Select Gateway Groups from the side navigation bar and then select Test Group.
In the Plugins field, search the
ip-restriction
plugin.Click the Plus icon (+) and a dialog box appears.
Apply the following configurations to add the IP address
127.0.0.1
to the blacklist:{
"blacklist": ["127.0.0.1"],
"message": "Sorry, your IP address is not allowed."
}Click Enable.
Validate
Send an API request:
curl -i "http://127.0.0.1:9080/pet/1"
Since the IP address is restricted by the blacklist, at this point, you will see the following output:
HTTP/1.1 503 Service Temporarily Unavailable
Date: Fri, 01 Sep 2023 03:48:27 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-RateLimit-Limit: 3
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 0
Server: APISIX/dev
{"error_msg":"Sorry, your IP address is not allowed."}