The ip-restriction
can restrict access to a Service or a Route by either
whitelisting or blacklisting IP addresses. Single IPs, multiple IPs or ranges
in CIDR notation like 10.10.10.0/24 can be used.
Name | Type | Requirement | Valid | Description |
---|---|---|---|---|
whitelist | array[string] | optional | List of IPs or CIDR ranges to whitelist. | |
blacklist | array[string] | optional | List of IPs or CIDR ranges to blacklist. |
One of whitelist
or blacklist
must be specified, and they can not work together.
Creates a route or service object, and enable plugin ip-restriction
.
- match:
prefix: "/bar"
route:
cluster: web_service
typed_per_filter_config:
envoy.filters.http.lua:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.LuaPerRoute
name: entry.lua
metadata:
filter_metadata:
envoy.filters.http.lua:
plugins:
- name: ip-restriction
conf:
whitelist:
- 127.0.0.1
- 113.74.26.106/24
Requests from 127.0.0.1
:
$ curl http://127.0.0.1:9080/index.html -i
HTTP/1.1 200 OK
...
Requests from 127.0.0.2
:
$ curl http://127.0.0.1:9080/index.html -i --interface 127.0.0.2
HTTP/1.1 403 Forbidden
...
{"message":"Your IP address is not allowed"}
When you want to disable the ip-restriction
plugin, it is very simple,
you can delete the corresponding yaml configuration in the route metadata.