Access control policy not working

abhijithsh · 03-10-2023 01:36 AM

I am trying to implement an IP range based allow/deny using Access control policy. Providing screenshot of the proxy debug screen showing my ip as the first one in X-FORWARDED_FOR. The same address is present in proxy.client.ip field also.

However, the policy is not denying access. Below is the implementation I have used.

Let me know if anyone can help @dchiesa1 @API-Evangelist

Thanks in advance

API-Evangelist

If you just experimenting its ok else start exploring kvm -https://cloud.google.com/apigee/docs/api-platform/reference/policies/access-control-policy#deny-usin...

May be use ValidateBasedOn if it helps as I see multiple ip's

https://cloud.google.com/apigee/docs/api-platform/reference/policies/access-control-policy#validateb...

==

When the X-Forwarded-For HTTP header contains multiple IP addresses, use this ValidateBasedOn element to control which IP addresses are evaluated.

==

Documentations in apigee are well written (Mostly) just need to go thru each attribute which will help. Good luck.

<AccessControl name="ACL">
  <IPRules noRuleMatchAction = "ALLOW">
    <MatchRule action = "DENY">
      <SourceAddress mask="32">198.51.100.1</SourceAddress>
    </MatchRule>
  </IPRules>
</AccessControl>

<AccessControl name="ACL">
  <IPRules noRuleMatchAction = "ALLOW">
    <MatchRule action = "DENY">
      <SourceAddress mask="32">198.51.100.1</SourceAddress>
    </MatchRule>
  </IPRules>
</AccessControl>

<AccessControl name="ACL">
  <IPRules noRuleMatchAction = "ALLOW">
    <MatchRule action = "DENY">
      <SourceAddress mask="32">198.51.100.1</SourceAddress>
    </MatchRule>
  </IPRules>
</AccessControl>

dknezic

It could be it's validating based on the last ip of the X-Forwarded-For, please refer to https://docs.apigee.com/api-platform/reference/policies/access-control-policy#xforwardedfor