Restrict IPs
Overview
The Restrict IPs policy action enables you to allow or deny traffic based on the source IP of the connection that was initiated to your ngrok endpoints. You can define rules in two ways, with CIDR blocks and with identifiers to existing ngrok IP Policies.
Example
Traffic Policy for restricting, allowing, and denying certain ips.
- YAML
- JSON
# snippet
---
actions:
- type: "restrict-ips"
config:
enforce: true
allow:
- "1.1.1.1/32"
deny:
- "e680:5791:be4c:5739:d959:7b94:6d54:d4b4/128"
ip_policies:
- "ipp_1yjqdrIBwgciY2I9zH2EelgBbJF"
// snippet
{
"actions": [
{
"type": "restrict-ips",
"config": {
"enforce": true,
"allow": [
"1.1.1.1/32"
],
"deny": [
"e680:5791:be4c:5739:d959:7b94:6d54:d4b4/128"
],
"ip_policies": [
"ipp_1yjqdrIBwgciY2I9zH2EelgBbJF"
]
}
}
]
}
Request:
curl https://example.ngrok.app/api/v1
Result:
< HTTP/2 403
Behavior
This action evaluates the configured rules against the layer 4 source IP (conn.client_ip
) of a connection. HTTP headers like X-Forwarded-For
are never used.
A connection is allowed only if its source IP matches at least one of the allowed CIDRs and does not match any of the denied CIDRs.
The set of allowed and denied CIDRs are built from the CIDRs specified in the allow
and deny
fields as well as the CIDRs belonging to the ngrok IP Policies specified in the ip_policies
field.
If this action denies the connection, a HTTP 403
response is returned. The upstream server is never reached. No further actions or policy rules in the policy configuration will be executed.
Reference
Supported Directions
- Inbound
Configuration
Type |
---|
restrict-ips |
Parameter | Description | |
---|---|---|
enforce | bool | Default true. If false, continue to the next action even if the IP is not permitted. |
allow | Array<string> | A list of of CIDRs that are allowed. |
deny | Array<string> | A list of of CIDRs that are denied. |
ip_policies | Array<ID> | A set of IP policies identifiers that will be used to check if a source IP is allowed access. |