IP Blacklist

IP Blacklist policy controls access to a configured API endpoint from a single IP address or a range of IP addresses.

To Start with we will create an mulesoft application and connect it with API manager – please see how we can connect the mulesoft application to API Manager

After deployment of application in Cloudhub the API manager configuration will come as Active

Now we will apply the policy

Select IP blacklist

Now update the policy configuration

IP expression – this is the expression from where the policy will source the IP address from incoming request

So here also we have two way of capturing incoming request’s IP address

• The API is behind the Dedicated Load Balancer (DLB) or Shared Load Balancer (SLB)

We use attributes.headers[‘X-Forwarded-For’] as this will hold the actual originator IP address. This is populated by the proxy services or load balancer when they route it to actual target

• The request hits the worker of the API directly

We use attributes.remoteAddress as this will host the Client IP address

In case of above scenario attributes.remoteAddress will hold the IP address of the Proxy server or Load balancer

Blacklist

This can be your IP address or IP range

Now if I look for my IP address then it’s come out to be

Let’s update the IP blacklist configuration

#[attributes.headers[‘X-Forwarded-For’]] for IP expression and My IP address as Blacklist IP

Click apply

Now if I hit this API then I’ll get

To understand the attributes.headers[‘X-Forwarded-For’] and attributes.remoteAddress better then we will add the log for these two attributes value

Now if we look into the Cloudhub logs

18.219.185.76:18162 and /13.59.208.11:28936 are both remoteAddress whereas 106.210.75.203 is X-Forwarded-For or Originator address

As we are using Cloudhub shared load balancer so that’s why remoteAddress is changing as per forwarding Load balancer

Sample mule application – sample-rest-service-ip-blacklist

SOAP UI application – sample-rest-service-ip-black-soapui-project