fabio supports basic ip centric access control per route. You may
specify one of
deny options per route to control access.
Currently only source ip control is available.
To allow access to a route from clients within the
fe80::/10 subnet you would add the following option:
With this specified only clients sourced from those two subnets will be allowed. All other requests to that route will be denied.
Inversely, to deny a specific set of clients you can use the following option syntax:
With this configuration access will be denied to any clients with
fe80::1234 address or coming from the
Single host addresses (addresses without a prefix) will have a
/32 prefix, for IPv4, or a
/128 prefix, for IPv6, added automatically.
220.127.116.11 is equivalent to
is equivalent to
fe80::1234/128 when specifying
address blocks for
The source ip used for validation against the defined ruleset is taken from information available in the request.
HTTP requests the client
RemoteAddr is always validated
followed by all elements of the
X-Forwarded-For header, if
present. When all of these elements match an
allow the request
will be allowed; similarly when any element matches a
request will be denied.
TCP requests the source address of the network socket
is used as the sole paramater for validation.
If the inbound connection uses the PROXY protocol
to transmit the true source address of the client then it will
be used for both
TCP connections for validating access.