This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Access control policy not working

Posted on 03-10-2023 01:36 AM
abhijithsh
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

I am trying to implement an IP range based allow/deny using Access control policy. Providing screenshot of the proxy debug screen showing my ip as the first one in X-FORWARDED_FOR. The same address is present in proxy.client.ip field also.

abhijithsh_0-1678440835567.png

However, the policy is not denying access. Below is the implementation I have used.

abhijithsh_1-1678440907435.png

Let me know if anyone can help @dchiesa1 @API-Evangelist 

Thanks in advance

 

1 4 579
Topic Labels
4 REPLIES 4

Posted on --/--/---- --:-- AM
API-Evangelist
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

If you just experimenting its ok else start exploring kvm -https://cloud.google.com/apigee/docs/api-platform/reference/policies/access-control-policy#deny-usin...

May be use ValidateBasedOn if it helps as I see multiple ip's

==

When the X-Forwarded-For HTTP header contains multiple IP addresses, use this ValidateBasedOn element to control which IP addresses are evaluated.

==

 Documentations in apigee are well written (Mostly) just need to go thru each attribute which will help. Good luck.

 

 

<AccessControl name="ACL">
  <IPRules noRuleMatchAction = "ALLOW">
    <MatchRule action = "DENY">
      <SourceAddress mask="32">198.51.100.1</SourceAddress>
    </MatchRule>
  </IPRules>
</AccessControl>
<AccessControl name="ACL">
  <IPRules noRuleMatchAction = "ALLOW">
    <MatchRule action = "DENY">
      <SourceAddress mask="32">198.51.100.1</SourceAddress>
    </MatchRule>
  </IPRules>
</AccessControl>
<AccessControl name="ACL">
  <IPRules noRuleMatchAction = "ALLOW">
    <MatchRule action = "DENY">
      <SourceAddress mask="32">198.51.100.1</SourceAddress>
    </MatchRule>
  </IPRules>
</AccessControl>

 

Posted on --/--/---- --:-- AM
dknezic
Staff
Reply posted on --/--/---- --:-- AM

It could be it's validating based on the last ip of the X-Forwarded-For, please refer to https://docs.apigee.com/api-platform/reference/policies/access-control-policy#xforwardedfor

0 Likes

Posted on --/--/---- --:-- AM
Mohammed-Mahtab
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Try this option , it should work for your use case 

 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AccessControl async="false" continueOnError="false" enabled="true" name="Access-Control-1">
    <DisplayName>Access Control-1</DisplayName>
<IgnoreTrueClientIPHeader>true</IgnoreTrueClientIPHeader>
    <Properties/>
    <IPRules noRuleMatchAction="ALLOW">
        <MatchRule action="DENY">
            <SourceAddress mask="24">103.160.194.119</SourceAddress>
        </MatchRule>
            </IPRules>
<ValidateBasedOn>X_FORWARDED_FOR_FIRST_IP</ValidateBasedOn>
</AccessControl>

 

Posted on --/--/---- --:-- AM
Mohammed-Mahtab
Bronze 3
Bronze 3
In response to Mohammed-Mahtab
Reply posted on --/--/---- --:-- AM

Did this solution work for you ?

Thanks

Mahtab

Top Solution Authors
View all