IP Access Control
IP access control lets users decide which clients can connect to an MCPX Server by checking their IP address. This can be handy when it is necessary to limit access to trusted sources such as office networks, VPNs, or specific load balancers. Both IPv4 and IPv6 addresses are supported, and users can define ranges with CIDR notation. If you do not configure anything, all IPs are allowed by default.
How it Works
When IP access control is enabled, every incoming request is checked against the list of allowed IPs or ranges. If a client IP matches, the request is processed as usual. If not, the server returns HTTP 403 Forbidden.
Configuration
Set the ALLOWED_IP_RANGES environment variable with a comma-separated list of IP addresses or CIDR ranges:
Example Configurations
# Allow single IPs
ALLOWED_IP_RANGES="192.168.1.100,10.0.0.50"
# Allow IP ranges using CIDR notation
ALLOWED_IP_RANGES="192.168.1.0/24,10.0.0.0/8"
# Allow localhost (IPv4 and IPv6)
ALLOWED_IP_RANGES="127.0.0.1,::1"
# Allow multiple ranges
ALLOWED_IP_RANGES="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,127.0.0.1,::1"
# Disable IP filtering (default, allows all IPs)
# Simply do not set ALLOWED_IP_RANGES or leave it empty
For Example
Development Environment
# Allow localhost only
ALLOWED_IP_RANGES="127.0.0.1,::1"
Office Network
# Allow office subnet and VPN range
ALLOWED_IP_RANGES="192.168.1.0/24,10.8.0.0/16"
Production Environment
# Allow specific load balancer IPs and monitoring systems
ALLOWED_IP_RANGES="10.0.1.10,10.0.1.11,10.0.2.0/28"
Technical Details
- Requests from IPs outside the allowed ranges receive HTTP 403 Forbidden
- IPv4-mapped IPv6 addresses are automatically normalized
- Invalid CIDR notation will prevent the server from starting, with a clear error message
- When
ALLOWED_IP_RANGESis not set, IP filtering is disabled and all IPs are allowed