Applies access control rules to incoming requests based on the peer address.
The interceptor evaluates the configured child rules in order and uses the first rule that matches the peer to decide whether the request is permitted. If no rule matches, access is denied. A denied request is rejected with 403.
Rules can match on IPv4/IPv6 (optionally with CIDR prefix) or on a hostname pattern. Hostname matching requires the peer hostname to be resolved and is performed only when at least one configured rule uses a hostname target.
See the examples under examples/security/access-control-list and the tutorial tutorials/security/60-Access-Control-Lists.yaml.
Example Configuration
api:
port: 2000
flow:
- accessControl:
- allow: "10.0.0.0/8"
- deny: "0.0.0.0/0"
api:
port: 2000
flow:
- accessControl:
- allow: "10.0.0.0/8"
- deny: "0.0.0.0/0"
Syntax
accessControl:
- <rules>accessControl: - <rules>
Child Structure
| Element | Cardinality | Description |
|---|---|---|
| rules | 0..* | Configures the ordered list of access rules that will be evaluated for each request. |