Policies

IP Restriction Policy

Custom Policy Example

Zuplo is extensible, so we don't have a built-in policy for IP Restriction, instead we have a template here that shows you how you can use your superpower (code) to achieve your goals. To learn more about custom policies see the documentation.

This custom policy allows you to specify a set of IP addresses that are allowed or blocked from making requests on your API. This can be useful for adding light-weight security to your API in non-critical scenarios. For example, if you want to ensure only employees on your corporate VPN cannot access development environments.

Generally, this policy should not be relied upon as the only security for protecting sensitive workloads.

import { HttpProblems, ZuploContext, ZuploRequest } from "@zuplo/runtime";
import ipRangeCheck from "ip-range-check";
 
interface PolicyOptions {
  allowedIpAddresses?: string[];
  blockedIpAddresses?: string[];
}
 
export default async function (
  request: ZuploRequest,
  context: ZuploContext,
  options: PolicyOptions,
  policyName: string,
) {
  // TODO: Validate the policy options. Skipping in the example for brevity
 
  // Get the incoming IP address
  const ip = request.headers.get("true-client-ip");
 
  // If the allowed IP addresses are set, then the incoming IP
  // must be in that list
  if (options.allowedIpAddresses) {
    const allowed = ipRangeCheck(ip, options.allowedIpAddresses);
    if (!allowed) {
      return HttpProblems.unauthorized(request, context);
    }
  }
 
  // If the blocked IP addresses are set, then the incoming IP
  // cannot be in that list
  if (options.blockedIpAddresses) {
    const blocked = ipRangeCheck(ip, options.allowedIpAddresses);
    if (blocked) {
      return HttpProblems.unauthorized(request, context);
    }
  }
 
  // If we made it this far, the IP address is allowed, continue
  return request;
}

Configuration

The example below shows how to configure a custom code policy in the 'policies.json' document that utilizes the above example policy code.

{
  "name": "my-ip-restriction-inbound-policy",
  "policyType": "ip-restriction-inbound",
  "handler": {
    "export": "default",
    "module": "$import(./modules/YOUR_MODULE)",
    "options": {
      "allowedIpAddresses": [
        "184.42.1.4",
        "102.1.5.2/24"
      ]
    }
  }
}

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

  • allowedIpAddresses <string[]> -
    The IP addresses or CIDR ranges to allow
  • blockedIpAddresses <string[]> -
    The IP addresses or CIDR ranges to allow

Using the Policy

Read more about how policies work

Previous
Geo-location filtering
Next
Rate Limiting