I have a url which I want to restrict which looks like api.mydomain.com:8080/swagger
When I use api.domain.com in a zone lockdown I can see that it is successfully restricted to the cidr block that I set; however, IPs outside of this block can still access api.mydomain.com:8080/swagger. How can I restrict this full url to specific IPs?
I would personally recommend using WAF Custom Rules instead of Zone Lockdown rules. WAF Custom Rules are newer and provide more functionality. You can create Custom Rules in the WAF tab of the dashboard.
Create a new Custom Rule with the following expression. This will block any requests to api.example.com/swagger regardless of the port, unless the client IP address is 192.0.2.1 or in the 198.51.100.0/24 subnet.
(
http.host eq "api.example.com"
and
starts_with(lower(http.request.uri.path), "/swagger")
and
not ip.src in {192.0.2.1 198.51.100.0/24}
)
In your Firewall / Custom Rules, you can use the field cf.edge.server_port, which is available on paid plans.
This would match any requests for ports other than 80 and 443:
not (cf.edge.server_port in {80 443})
That worked perfectly, thanks
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.
