Skip to main content
Version: 2.6

ip-restriction

Summary#

Name#

The ip-restriction can restrict access to a Service or a Route by either whitelisting or blacklisting IP addresses. Single IPs, multiple IPs or ranges in CIDR notation like 10.10.10.0/24 can be used.

Attributes#

NameTypeRequirementDefaultValidDescription
whitelistarray[string]optionalList of IPs or CIDR ranges to whitelist.
blacklistarray[string]optionalList of IPs or CIDR ranges to blacklist.

One of whitelist or blacklist must be specified, and they can not work together.

How To Enable#

Creates a route or service object, and enable plugin ip-restriction.

curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '{    "uri": "/index.html",    "upstream": {        "type": "roundrobin",        "nodes": {            "127.0.0.1:1980": 1        }    },    "plugins": {        "ip-restriction": {            "whitelist": [                "127.0.0.1",                "113.74.26.106/24"            ]        }    }}'

Test Plugin#

Requests from 127.0.0.1:

$ curl http://127.0.0.1:9080/index.html -iHTTP/1.1 200 OK...

Requests from 127.0.0.2:

$ curl http://127.0.0.1:9080/index.html -i --interface 127.0.0.2HTTP/1.1 403 Forbidden...{"message":"Your IP address is not allowed"}

Change the restriction#

When you want to change the whitelisted ip, it is very simple, you can send the corresponding json configuration in the plugin configuration, no need to restart the service, it will take effect immediately:

curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '{    "uri": "/index.html",    "upstream": {        "type": "roundrobin",        "nodes": {            "127.0.0.1:1980": 1        }    },    "plugins": {        "ip-restriction": {            "whitelist": [                "127.0.0.2",                "113.74.26.106/24"            ]        }    }}'

Test Plugin after restriction change#

Requests from 127.0.0.2:

$ curl http://127.0.0.2:9080/index.html -i --interface 127.0.0.2HTTP/1.1 200 OK...

Requests from 127.0.0.1:

$ curl http://127.0.0.1:9080/index.html -iHTTP/1.1 403 Forbidden...{"message":"Your IP address is not allowed"}

Disable Plugin#

When you want to disable the ip-restriction plugin, it is very simple, you can delete the corresponding json configuration in the plugin configuration, no need to restart the service, it will take effect immediately:

$ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d value='{    "uri": "/index.html",    "plugins": {},    "upstream": {        "type": "roundrobin",        "nodes": {            "39.97.63.215:80": 1        }    }}'

The ip-restriction plugin has been disabled now. It works for other plugins.