Zuplo
Authorization

Geo-location filtering Policy

Block requests based on geo-location parameters: country, region code, and ASN

Configuration

The configuration shows how to configure the policy in the 'policies.json' document.

{
  "name": "my-geo-filter-inbound-policy",
  "policyType": "geo-filter-inbound",
  "handler": {
    "export": "GeoFilterInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "allow": {
        "asns": "395747, 28304",
        "countries": "US, CA",
        "regionCodes": "TX, WA"
      },
      "block": {
        "asns": "395747, 28304",
        "countries": "US, CA",
        "regionCodes": "TX, WA"
      },
      "ignoreUnknown": true
    }
  }
}
json

Policy Configuration

  • name <string> - The name of your policy instance. This is used as a reference in your routes.
  • policyType <string> - The identifier of the policy. This is used by the Zuplo UI. Value should be geo-filter-inbound.
  • handler.export <string> - The name of the exported type. Value should be GeoFilterInboundPolicy.
  • handler.module <string> - The module containing the policy. Value should be $import(@zuplo/runtime).
  • handler.options <object> - The options for this policy. See Policy Options below.

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

  • block <object> - No description available.
    • countries <string> - comma separated string of country codes to allow (e.g. "US, CA").
    • regionCodes <string> - comma separated string of region codes to allow (e.g. "TX, WA").
    • asns <string> - comma separated string of ASNs to allow (e.g. "395747, 28304").
  • allow <object> - No description available.
    • countries <string> - comma separated string of country codes to allow (e.g. "US, CA").
    • regionCodes <string> - comma separated string of region codes to allow (e.g. "TX, WA").
    • asns <string> - comma separated string of ASNs to allow (e.g. "395747, 28304").
  • ignoreUnknown <boolean> - Specifies whether unknown geo-location parameters should be ignored (allowed through). Defaults to true.

Using the Policy

Geo-location Filter Policy

Specify an allow list or block list of:

  • Countries - Country of the incoming request. The two-letter country code in the request, for example, "US".
  • regionCodes - If known, the ISO 3166-2 code for the first-level region associated with the IP address of the incoming request, for example, "TX"
  • ASNs - ASN of the incoming request, for example, 395747.

If you specify an allow and block list for the same location type (e.g. country) may have no effect or block all requests.

{
  "allow" : {
    "countries" : "US"
  },
  "block" : {
    "countries" : "MC"
  }
}
plain

The policy will only allow requests from US, so any request from MC would be automatically blocked.

Read more about how policies work

RBAC Authorization PolicyIP Restriction Policy