Endpoint Access Control Flow
The Endpoint Access Control Flow enforces access rules based on endpoints and custom headers.
Using flexible filtering, it allows or blocks requests based on endpoint patterns and header values. The flow utilizes a Filter processor to generate 403 Forbidden responses for blocked requests, ensuring only authorized endpoints and headers access the API while enabling detailed monitoring of access events.
Scenarios
- Endpoint-Based Control: Restrict API access to approved endpoints, maintaining security in multi-tenant environments.
- Header-Based Authorization: Refine access control using custom headers, integrating with identity management systems.
- Access Monitoring: Log and monitor access events for compliance and auditing.
- Flexible Configuration: Easily adjust endpoint patterns and headers to meet security needs without code changes.
- Quick Response to Unauthorized Access: Automatically issue 403 responses to block unauthorized requests, ensuring system security.
Flow Configuration Template
/etc/lunar-proxy/flows/flow.yaml
name: DomainAccessControlFlow # The name of the flow
filter:
url: "*" # Define the URL pattern for the filter
processors:
AllowFilter:
processor: Filter # Processor for allowing requests to specific URLs
parameters:
- key: url
value: acmecorp.com/* # Allow only requests to acmecorp.com
BlockFilter:
processor: Filter # Processor for blocking requests based on a header
parameters:
- key: header
value: x-domain-access=<any-value> # Header used for blocking access
GenerateResponseForbidden:
processor: GenerateResponse # Processor for generating a 403 forbidden response
parameters:
- key: status
value: 403 # HTTP status code for forbidden access
- key: body
value: "Forbidden Access" # Response body text
- key: Content-Type
value: text/plain # Content type for the response
flow:
request:
- from:
stream:
name: globalStream # The stream to start the request flow
at: start # Start point of the flow
to:
processor:
name: AllowFilter # Process the request through the AllowFilter processor
- from:
processor:
name: AllowFilter # After AllowFilter processor
condition: hit # If the request matches the allow criteria
to:
processor:
name: BlockFilter # Process the request through the BlockFilter processor
- from:
processor:
name: AllowFilter # After AllowFilter processor
condition: miss # If the request does not match the allow criteria
to:
processor:
name: GenerateResponseForbidden # Generate a 403 response for forbidden access
- from:
processor:
name: BlockFilter # After BlockFilter processor
condition: hit # If the request matches the block criteria
to:
processor:
name: GenerateResponseForbidden # Generate a 403 response for forbidden access
- from:
processor:
name: BlockFilter # After BlockFilter processor
condition: miss # If the request does not match the block criteria
to:
stream:
name: globalStream # Send the request to the global stream
at: end # End of the request flow
response:
- from:
processor:
name: GenerateResponseForbidden # In case of forbidden access, send the response
to:
stream:
name: globalStream # Send response back to the global stream
at: end # End point of the response flow
Flow Example
In this configuration:
- API requests to
httpbin.com/*are allowed, while all others are blocked. - If a request to a blocked domain is detected, the flow returns a 403 HTTP status code along with the message: "Forbidden Access."
/etc/lunar-proxy/flows/flow.yaml
name: EndpointAccessControlFlow
filter:
url: "*"
processors:
AllowFilter:
processor: Filter
parameters:
- key: url
value: httpbin.com/*
GenerateResponseForbidden:
processor: GenerateResponse
parameters:
- key: status
value: 403
- key: body
value: "Forbidden Access"
- key: Content-Type
value: text/plain
flow:
request:
- from:
stream:
name: globalStream
at: start
to:
processor:
name: AllowFilter
- from:
processor:
name: AllowFilter
condition: miss
to:
processor:
name: GenerateResponseForbidden
- from:
processor:
name: AllowFilter
condition: hit
to:
stream:
name: globalStream
at: end
response:
- from:
processor:
name: GenerateResponseForbidden
to:
stream:
name: globalStream
at: end