docs/en/latest/plugins/ip-restriction.md

title: ip-restriction

Summary

Name
Attributes
How To Enable
Test Plugin
Disable Plugin

Name

The ip-restriction can restrict access to a Service or a Route by either whitelisting or blacklisting IP addresses. Single IPs, multiple IPs or ranges in CIDR notation like 10.10.10.0/24 can be used.

Attributes

Name	Type	Requirement	Default	Valid	Description
whitelist	array[string]	optional			List of IPs or CIDR ranges to whitelist.
blacklist	array[string]	optional			List of IPs or CIDR ranges to blacklist.

One of whitelist or blacklist must be specified, and they can not work together.

How To Enable

Creates a route or service object, and enable plugin ip-restriction.

curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "uri": "/index.html",
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "127.0.0.1:1980": 1
        }
    },
    "plugins": {
        "ip-restriction": {
            "whitelist": [
                "127.0.0.1",
                "113.74.26.106/24"
            ]
        }
    }
}'

Test Plugin

Requests from 127.0.0.1:

$ curl http://127.0.0.1:9080/index.html -i
HTTP/1.1 200 OK
...

Requests from 127.0.0.2:

$ curl http://127.0.0.1:9080/index.html -i --interface 127.0.0.2
HTTP/1.1 403 Forbidden
...
{"message":"Your IP address is not allowed"}

Change the restriction

When you want to change the whitelisted ip, it is very simple, you can send the corresponding json configuration in the plugin configuration, no need to restart the service, it will take effect immediately:

curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "uri": "/index.html",
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "127.0.0.1:1980": 1
        }
    },
    "plugins": {
        "ip-restriction": {
            "whitelist": [
                "127.0.0.2",
                "113.74.26.106/24"
            ]
        }
    }
}'

Test Plugin after restriction change

Requests from 127.0.0.2:

$ curl http://127.0.0.2:9080/index.html -i --interface 127.0.0.2
HTTP/1.1 200 OK
...

Requests from 127.0.0.1:

$ curl http://127.0.0.1:9080/index.html -i
HTTP/1.1 403 Forbidden
...
{"message":"Your IP address is not allowed"}

Disable Plugin

When you want to disable the ip-restriction plugin, it is very simple, you can delete the corresponding json configuration in the plugin configuration, no need to restart the service, it will take effect immediately:

$ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d value='
{
    "uri": "/index.html",
    "plugins": {},
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "39.97.63.215:80": 1
        }
    }
}'

The ip-restriction plugin has been disabled now. It works for other plugins.