Skip to main content
Version: 2.13

ip-restriction

Description#

The ip-restriction can restrict access to a Service or a Route by either whitelisting or blacklisting IP addresses. Single IPs, multiple IPs or ranges in CIDR notation like 10.10.10.0/24 can be used.

Attributes#

NameTypeRequirementDefaultValidDescription
whitelistarray[string]optionalList of IPs or CIDR ranges to whitelist.
blacklistarray[string]optionalList of IPs or CIDR ranges to blacklist.
messagestringoptionalYour IP address is not allowed.[1, 1024]Message returned in case IP access is not allowed.

One of whitelist or blacklist must be specified, and they can not work together. The message can be user-defined.

How To Enable#

Creates a route or service object, and enable plugin ip-restriction.

curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "uri": "/index.html",
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "127.0.0.1:1980": 1
        }
    },
    "plugins": {
        "ip-restriction": {
            "whitelist": [
                "127.0.0.1",
                "113.74.26.106/24"
            ]
        }
    }
}'

Default returns {"message":"Your IP address is not allowed"} when unallowed IP access. If you want to use a custom message, you can configure it in the plugin section.

"plugins": {
    "ip-restriction": {
        "whitelist": [
            "127.0.0.1",
            "113.74.26.106/24"
        ],
        "message": "Do you want to do something bad?"
    }
}

Test Plugin#

Requests from 127.0.0.1:

$ curl http://127.0.0.1:9080/index.html -i
HTTP/1.1 200 OK
...

Requests from 127.0.0.2:

$ curl http://127.0.0.1:9080/index.html -i --interface 127.0.0.2
HTTP/1.1 403 Forbidden
...
{"message":"Your IP address is not allowed"}

Change the restriction#

When you want to change the whitelisted ip, it is very simple, you can send the corresponding json configuration in the plugin configuration, no need to restart the service, it will take effect immediately:

curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "uri": "/index.html",
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "127.0.0.1:1980": 1
        }
    },
    "plugins": {
        "ip-restriction": {
            "whitelist": [
                "127.0.0.2",
                "113.74.26.106/24"
            ]
        }
    }
}'

Test Plugin after restriction change#

Requests from 127.0.0.2:

$ curl http://127.0.0.2:9080/index.html -i --interface 127.0.0.2
HTTP/1.1 200 OK
...

Requests from 127.0.0.1:

$ curl http://127.0.0.1:9080/index.html -i
HTTP/1.1 403 Forbidden
...
{"message":"Your IP address is not allowed"}

Disable Plugin#

When you want to disable the ip-restriction plugin, it is very simple, you can delete the corresponding json configuration in the plugin configuration, no need to restart the service, it will take effect immediately:

$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "uri": "/index.html",
    "plugins": {},
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "127.0.0.1:1980": 1
        }
    }
}'

The ip-restriction plugin has been disabled now. It works for other plugins.