akanealw
eec8c28fb3
Some checks are pending
Go Benchmark / Performance Regression Check (push) Waiting to run
Cerberus Integration / Cerberus Security Stack Integration (push) Waiting to run
Upload Coverage to Codecov / Backend Codecov Upload (push) Waiting to run
Upload Coverage to Codecov / Frontend Codecov Upload (push) Waiting to run
CodeQL - Analyze / CodeQL analysis (go) (push) Waiting to run
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Waiting to run
CrowdSec Integration / CrowdSec Bouncer Integration (push) Waiting to run
Docker Build, Publish & Test / build-and-push (push) Waiting to run
Docker Build, Publish & Test / Security Scan PR Image (push) Blocked by required conditions
Quality Checks / Auth Route Protection Contract (push) Waiting to run
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Waiting to run
Quality Checks / Backend (Go) (push) Waiting to run
Quality Checks / Frontend (React) (push) Waiting to run
Rate Limit integration / Rate Limiting Integration (push) Waiting to run
Security Scan (PR) / Trivy Binary Scan (push) Waiting to run
Supply Chain Verification (PR) / Verify Supply Chain (push) Waiting to run
WAF integration / Coraza WAF Integration (push) Waiting to run
3.1 KiB
Executable File
3.1 KiB
Executable File
title, description
| title | description |
|---|---|
| Access Control Lists (ACLs) | Define exactly who can access what with fine-grained rules |
Access Control Lists (ACLs)
Define exactly who can access what. Block specific countries, allow only certain IP ranges, or require authentication for sensitive applications. Fine-grained rules give you complete control.
Overview
Access Control Lists let you create granular rules that determine who can reach your proxied services. Rules are evaluated in order, and the first matching rule determines whether access is allowed or denied.
ACL capabilities:
- IP Allowlists — Only permit specific IPs or ranges
- IP Blocklists — Deny access from known bad actors
- Country/Geo Blocking — Restrict access by geographic location
- CIDR Support — Define rules using network ranges (e.g.,
192.168.1.0/24)
Why Use This
- Compliance — Restrict access to specific regions for data sovereignty
- Security — Block high-risk countries or known malicious networks
- Internal Services — Limit access to corporate IP ranges
- Layered Defense — Combine with WAF and CrowdSec for comprehensive protection
Configuration
Creating an Access List
- Navigate to Access Lists in the sidebar
- Click Add Access List
- Provide a descriptive name (e.g., "Office IPs Only")
- Configure your rules
Rule Types
IP Range Filtering
Add specific IPs or CIDR ranges:
Allow: 192.168.1.0/24 # Allow entire subnet
Allow: 10.0.0.5 # Allow single IP
Deny: 0.0.0.0/0 # Deny everything else
Rules are processed top-to-bottom. Place more specific rules before broader ones.
Country/Geo Blocking
Block or allow traffic by country:
- In the Access List editor, go to Country Rules
- Select countries to Allow or Deny
- Choose default action for unlisted countries
Common configurations:
- Allow only your country — Whitelist your country, deny all others
- Block high-risk regions — Deny specific countries, allow rest
- Compliance zones — Allow only EU countries for GDPR compliance
Applying to Proxy Hosts
- Edit your proxy host
- Go to the Access tab
- Select your Access List from the dropdown
- Save changes
Each proxy host can have one Access List assigned. Create multiple lists for different access patterns.
Rule Evaluation Order
1. Check IP allowlist → Allow if matched
2. Check IP blocklist → Deny if matched
3. Check country rules → Allow/Deny based on geo
4. Apply default action
Best Practices
| Scenario | Recommendation |
|---|---|
| Internal admin panels | Allowlist office/VPN IPs only |
| Public websites | Use geo-blocking for high-risk regions |
| API endpoints | Combine IP rules with rate limiting |
| Development servers | Restrict to developer IPs |
Related
- Proxy Hosts — Apply access lists to services
- CrowdSec Integration — Automatic threat-based blocking
- Rate Limiting — Limit request frequency
- Back to Features