Skip to content
Kong Docs are moving soon! Our docs are migrating to a new home. You'll be automatically redirected to the new site in the future. In the meantime, view this page on the new site!
|
Plugin Hub
github-edit-pageEdit this page
report-issueReport an issue
header icon

IP Restriction

By Kong Inc.

Looking for the plugin's configuration parameters? You can find them in the IP Restriction configuration reference doc.

Restrict access to a service or a route by either allowing or denying IP addresses. Single IPs, multiple IPs, or ranges in CIDR notation like 10.10.10.0/24 can be used.

The plugin supports IPv4 and IPv6 addresses.

Usage

An allow list provides a positive security model, in which the configured CIDR ranges are allowed access to the resource, and all others are inherently rejected. By contrast, a deny list configuration provides a negative security model, in which certain CIDRS are explicitly denied access to the resource (and all others are inherently allowed).

You can configure the plugin with both allow and deny configurations. An interesting use case of this flexibility is to allow a CIDR range, but deny an IP address on that CIDR range:

curl -X POST http://localhost:8001/services/{service}/plugins \
  --data "name=ip-restriction" \
  --data "config.allow=127.0.0.0/24" \
  --data "config.deny=127.0.0.1"

IP Addresses

It is important to understand how the IP address is determined. The IP address is determined by the request header sent to Kong from downstream. In most cases, the header has a name of X-Real-IP or X-Forwarded-For.

By default, Kong uses the header name X-Real-IP. If a different header name is required, it needs to be defined using the real_ip_header Nginx property. Depending on the environmental network setup, the trusted_ips Nginx property may also need to be configured to include the load balancer IP address.