Skip to main content
Version: Next

Endpoint Access Control Flow

The Endpoint Access Control Flow enforces access rules based on endpoints and custom headers.

Using flexible filtering, it allows or blocks requests based on endpoint patterns and header values. The flow utilizes a Filter processor to generate 403 Forbidden responses for blocked requests, ensuring only authorized endpoints and headers access the API while enabling detailed monitoring of access events.

Flow Diagram


Scenarios

  1. Endpoint-Based Control: Restrict API access to approved endpoints, maintaining security in multi-tenant environments.
  2. Header-Based Authorization: Refine access control using custom headers, integrating with identity management systems.
  3. Access Monitoring: Log and monitor access events for compliance and auditing.
  4. Flexible Configuration: Easily adjust endpoint patterns and headers to meet security needs without code changes.
  5. Quick Response to Unauthorized Access: Automatically issue 403 responses to block unauthorized requests, ensuring system security.

Flow Components


Flow Example

In this configuration:

  • API requests to httpbin.com/* are allowed, while all others are blocked.
  • If a request to a blocked domain is detected, the flow returns a 403 HTTP status code along with the message: "Forbidden Access."
/etc/lunar-proxy/flows/flow.yaml
name: EndpointAccessControlFlow

filter:
url: "*"
processors:
BlockFilter:
processor: Filter
parameters:
- key: url
value: httpbin.com/*
GenerateResponseForbidden:
processor: GenerateResponse
parameters:
- key: status
value: 403
- key: body
value: "Forbidden Access"
- key: Content-Type
value: text/plain
flow:
request:
- from:
stream:
name: globalStream
at: start
to:
processor:
name: BlockFilter

- from:
processor:
name: BlockFilter
condition: hit
to:
processor:
name: GenerateResponseForbidden

- from:
processor:
name: BlockFilter
condition: miss
to:
stream:
name: globalStream
at: end

response:
- from:
processor:
name: GenerateResponseForbidden
to:
stream:
name: globalStream
at: end