Condition to Access control policy

Can I add a condition to allow healthcheck API and not to restrict it with any IP address restrictions in Access control policy?

 

<AccessControl async="false" continueOnError="false" enabled="true" name="Access-Control">
  <DisplayName>Access Control</DisplayName>
  <Properties/>
  <IPRules noRuleMatchAction="DENY">
    <MatchRule action="ALLOW">
      <SourceAddress mask="32">x.x.x.x</SourceAddress>
    </MatchRule>
    <MatchRule action = "ALLOW">
      <Step>
        <Condition>(proxy.pathsuffix MatchesPath "/health") and (request.verb = "GET")</Condition>
        <Name>Allow Healthcheck</Name>
      </Step>
    </MatchRule>
  </IPRules>
</AccessControl>

 

Is this right way to add condition? (Editor's Note: No.)

0 1 103
1 REPLY 1

You can add a condition but it does not belong in the policy. Your policy should express the control you want. In this case, something like this:

 

<AccessControl name="Access-Control">
  <DisplayName>Access Control</DisplayName>
  <IPRules noRuleMatchAction="DENY">
    <MatchRule action="ALLOW">
      <SourceAddress mask="32">x.x.x.x</SourceAddress>
    </MatchRule>
  </IPRules>
</AccessControl>

 

Then, in the ProxyEndpoint, you must "attach" that step. (This is not strictly true. You can attach that step to a SharedFlow which is connected to a FlowHook, but ... in the simple case, you just attach it into your ProxyEndpoint.). Be sure to attach it in the Request flow, probably in the Request PreFlow. Wrap it in a Condition that evaluates to TRUE when you DO want to enforce the access control. IE evaluates to true when it is NOT a healthcheck API call. It might look like this:

 

<ProxyEndpoint name='endpoint1'>
  <HTTPProxyConnection>
    <BasePath>/my-base-path</BasePath>
    <Properties/>
    <VirtualHost>secure</VirtualHost>
  </HTTPProxyConnection>

  <FaultRules>...</FaultRules>

  <PreFlow name='PreFlow'>
    <Request>
      <Step>
        <Name>Access-Control</Name>
        <Condition>NOT ((proxy.pathsuffix MatchesPath "/health") and (request.verb = "GET"))</Condition>
      </Step>
    </Request>
    <Response>
      ...
    </Response>
  </PreFlow>

  <PostFlow name='PostFlow'>...</PostFlow>

  <Flows>...</Flows>
  <RouteRule ...> ...</RouteRule>
</ProxyEndpoint>