This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Condition to Access control policy

Posted on 10-04-2021 12:31 PM
GovindReddy
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Can I add a condition to allow healthcheck API and not to restrict it with any IP address restrictions in Access control policy?

 

<AccessControl async="false" continueOnError="false" enabled="true" name="Access-Control">
  <DisplayName>Access Control</DisplayName>
  <Properties/>
  <IPRules noRuleMatchAction="DENY">
    <MatchRule action="ALLOW">
      <SourceAddress mask="32">x.x.x.x</SourceAddress>
    </MatchRule>
    <MatchRule action = "ALLOW">
      <Step>
        <Condition>(proxy.pathsuffix MatchesPath "/health") and (request.verb = "GET")</Condition>
        <Name>Allow Healthcheck</Name>
      </Step>
    </MatchRule>
  </IPRules>
</AccessControl>

 

Is this right way to add condition? (Editor's Note: No.)

0 1 103
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

You can add a condition but it does not belong in the policy. Your policy should express the control you want. In this case, something like this:

 

<AccessControl name="Access-Control">
  <DisplayName>Access Control</DisplayName>
  <IPRules noRuleMatchAction="DENY">
    <MatchRule action="ALLOW">
      <SourceAddress mask="32">x.x.x.x</SourceAddress>
    </MatchRule>
  </IPRules>
</AccessControl>

 

Then, in the ProxyEndpoint, you must "attach" that step. (This is not strictly true. You can attach that step to a SharedFlow which is connected to a FlowHook, but ... in the simple case, you just attach it into your ProxyEndpoint.). Be sure to attach it in the Request flow, probably in the Request PreFlow. Wrap it in a Condition that evaluates to TRUE when you DO want to enforce the access control. IE evaluates to true when it is NOT a healthcheck API call. It might look like this:

 

<ProxyEndpoint name='endpoint1'>
  <HTTPProxyConnection>
    <BasePath>/my-base-path</BasePath>
    <Properties/>
    <VirtualHost>secure</VirtualHost>
  </HTTPProxyConnection>

  <FaultRules>...</FaultRules>

  <PreFlow name='PreFlow'>
    <Request>
      <Step>
        <Name>Access-Control</Name>
        <Condition>NOT ((proxy.pathsuffix MatchesPath "/health") and (request.verb = "GET"))</Condition>
      </Step>
    </Request>
    <Response>
      ...
    </Response>
  </PreFlow>

  <PostFlow name='PostFlow'>...</PostFlow>

  <Flows>...</Flows>
  <RouteRule ...> ...</RouteRule>
</ProxyEndpoint>

 

0 Likes
Top Solution Authors
View all