Client IP Rules

Edit online

Sometimes it is desirable to be able to restrict access to the Web server based on the IP address of the client which is attempting to access the server.

This is especially useful to help protect against address spoofing if the proxy protocol support has been enabled.

The client-ip-rule configuration entry can be used to build up a list of rules which determine whether a client is allowed to connect or not. Each rule consists of a designator (+|-), to control whether a matching client is allowed or denied access, along with a client IP pattern (the ‘*?’ pattern matching characters may be used). When a connection request is received each rule is evaluated in sequence to see if the client IP address matches the rule. The designator of the matching rule is then used to allow or deny access. If no matching rules are located the client will be allowed access.

If the client is denied access the connection will be closed immediately, without any further processing. If the client is allowed access the connection request will proceed normally.

For example, if you wish to allow connections from the 10.10.10.0 subnet, and deny connections from all other clients, the following rules should be specified:

[server]
client-ip-rule = +10.10.10.*
client-ip-rule = -*

For more information, see client-ip-rule.