Hi Harry,

You will need to create a custom policy where the main processing rule would have a stylesheet can get the current request's clientIP by using <xsl:variable name="ip" select="dp:client-ip-addr()"/> and you would used the dp:ip-addr-match extension function to determine if the client IP is within the range you wish.  Note that the ip-addr-match extension function does accept CIDR notation so you can check for the client IP being within a range of IPs.  If the IP isn't in range, the you'd use a dp:reject.  You can also customize your HTTP status code by having a stylesheet in your policy error rule that would do something like

<xsl:call-template name="apim:error">
<xsl:with-param name="httpCode" select="'403'" />
<xsl:with-param name="httpReasonPhrase" select="'Forbidden'" />
<xsl:with-param name="errorMessage" select="dp:variable('var://service/error-message')" />
</xsl:call-template>

Regards,

Steve

Hi Harry, 

This question has come up from  time to time, so I just pulled my sample custom policy for this from my archives and placed in the API Connect Sample custom policies at https://github.com/ibm-apiconnect/policy (Look for clientIP-filter-policy). Again, just a sample, but give it a try and if nothing else it gives you a head start.  If it doesn't meet your needs, you can modify as needed to meet your requirements.

Regards,
Steve

Hi Harry,

You will need to create a custom policy where the main processing rule would have a stylesheet can get the current request's clientIP by using <xsl:variable name="ip" select="dp:client-ip-addr()"/> and you would used the dp:ip-addr-match extension function to determine if the client IP is within the range you wish.  Note that the ip-addr-match extension function does accept CIDR notation so you can check for the client IP being within a range of IPs.  If the IP isn't in range, the you'd use a dp:reject.  You can also customize your HTTP status code by having a stylesheet in your policy error rule that would do something like

<xsl:call-template name="apim:error">
<xsl:with-param name="httpCode" select="'403'" />
<xsl:with-param name="httpReasonPhrase" select="'Forbidden'" />
<xsl:with-param name="errorMessage" select="dp:variable('var://service/error-message')" />
</xsl:call-template>

Regards,

Steve

Hi Harry,

You will need to create a custom policy where the main processing rule would have a stylesheet can get the current request's clientIP by using <xsl:variable name="ip" select="dp:client-ip-addr()"/> and you would used the dp:ip-addr-match extension function to determine if the client IP is within the range you wish.  Note that the ip-addr-match extension function does accept CIDR notation so you can check for the client IP being within a range of IPs.  If the IP isn't in range, the you'd use a dp:reject.  You can also customize your HTTP status code by having a stylesheet in your policy error rule that would do something like

<xsl:call-template name="apim:error">
<xsl:with-param name="httpCode" select="'403'" />
<xsl:with-param name="httpReasonPhrase" select="'Forbidden'" />
<xsl:with-param name="errorMessage" select="dp:variable('var://service/error-message')" />
</xsl:call-template>

Regards,

Steve

Hi Harry,

You will need to create a custom policy where the main processing rule would have a stylesheet can get the current request's clientIP by using <xsl:variable name="ip" select="dp:client-ip-addr()"/> and you would used the dp:ip-addr-match extension function to determine if the client IP is within the range you wish.  Note that the ip-addr-match extension function does accept CIDR notation so you can check for the client IP being within a range of IPs.  If the IP isn't in range, the you'd use a dp:reject.  You can also customize your HTTP status code by having a stylesheet in your policy error rule that would do something like

<xsl:call-template name="apim:error">
<xsl:with-param name="httpCode" select="'403'" />
<xsl:with-param name="httpReasonPhrase" select="'Forbidden'" />
<xsl:with-param name="errorMessage" select="dp:variable('var://service/error-message')" />
</xsl:call-template>

Regards,

Steve

Hi Harry,

You will need to create a custom policy where the main processing rule would have a stylesheet can get the current request's clientIP by using <xsl:variable name="ip" select="dp:client-ip-addr()"/> and you would used the dp:ip-addr-match extension function to determine if the client IP is within the range you wish.  Note that the ip-addr-match extension function does accept CIDR notation so you can check for the client IP being within a range of IPs.  If the IP isn't in range, the you'd use a dp:reject.  You can also customize your HTTP status code by having a stylesheet in your policy error rule that would do something like

<xsl:call-template name="apim:error">
<xsl:with-param name="httpCode" select="'403'" />
<xsl:with-param name="httpReasonPhrase" select="'Forbidden'" />
<xsl:with-param name="errorMessage" select="dp:variable('var://service/error-message')" />
</xsl:call-template>

Regards,

Steve