Merge pull request #923 from 3scale/ip-check-policy-readme

README for the IP check policy

CHANGELOG.md

@@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Prometheus metrics for: the 3scale batching policy and the upstream API [PR #902](https://github.com/3scale/apicast/pull/902), [PR #918](https://github.com/3scale/apicast/pull/918)
 - Support for path in the upstream URL [PR #905](https://github.com/3scale/apicast/pull/905)
 - OIDC Authentication policy (only usable directly by the configuration file) [PR #904](https://github.com/3scale/apicast/pull/904)
+- IP check policy. This policy allows to accept or deny requests based on the IP [PR #907](https://github.com/3scale/apicast/pull/907), [PR #923](https://github.com/3scale/apicast/pull/923), [THREESCALE-1353](https://issues.jboss.org/browse/THREESCALE-1353)
 - Delete operation in the headers policy [PR #928](https://github.com/3scale/apicast/pull/928), [THREESCALE-1354](https://issues.jboss.org/browse/THREESCALE-1354)
 
 ### Changed
@@ -37,7 +38,6 @@ expressed might change in future releases.
 ### Fixed
 
 - Handles properly policies that raise an error when initialized [PR #911](https://github.com/3scale/apicast/pull/911), [THREESCALE-1332](https://issues.jboss.org/browse/THREESCALE-1332)
-- IP check policy. This policy allows to accept or deny requests based on the IP [PR #907](https://github.com/3scale/apicast/pull/907)
 
 ## [3.3.0-cr1] - 2018-09-14
 

gateway/src/apicast/policy/ip_check/README.md

@@ -0,0 +1,91 @@
+# IP Check policy
+
+- [**Description**](#description)
+- [**Examples**](#examples)
+
+
+## Description
+
+This policy allows to deny requests based on a blacklist or a whitelist of IPs.
+
+The policy accepts a "check_type" ("blacklist" or "whitelist") and a list of
+IPs. When the `check_type` is "blacklist", the policy denies all the requests
+that have an IP included in the list provided. When the `check_type` is
+"whitelist", the policy denies the request only if the IP is not included in the
+list provided.
+
+In the configuration, both single IPs (like 172.18.0.1) and CIDR ranges (like
+172.18.0.0/16) can be used.
+
+The message error that is returned when the request is denied can be configured
+with the `error_msg` field.
+
+The policy allows to specify how to retrieve the client IP that will be checked
+against the list of blacklisted or whitelisted IPs. This is configured with the
+`client_ip_sources` field. By default, the last caller IP will be used, but the
+policy can be configured to check the "X-Forwarded-For" or the "X-Real-IP"
+headers too.
+
+
+## Examples
+
+- Blacklist an IP and a range:
+```json
+{
+  "name": "ip_check",
+  "configuration": {
+    "ips": [ "3.4.5.6", "1.2.3.0/4" ],
+    "check_type": "blacklist"
+  }
+}
+```
+
+- Whitelist an IP and a range:
+```json
+{
+  "name": "ip_check",
+  "configuration": {
+    "ips": [ "3.4.5.6", "1.2.3.0/4" ],
+    "check_type": "whitelist"
+  }
+}
+```
+
+- Blacklist some IPs and customize the error message:
+```json
+{
+  "name": "ip_check",
+  "configuration": {
+    "ips": [ "3.4.5.6", "1.2.3.0/4" ],
+    "check_type": "blacklist",
+    "error_msg": "A custom error message"
+  }
+}
+```
+
+- Specify where to get the client IP from:
+```json
+{
+  "name": "ip_check",
+  "configuration": {
+    "ips": [ "3.4.5.6", "1.2.3.0/4" ],
+    "check_type": "blacklist",
+    "client_ip_sources": ["X-Forwarded-For"]
+  }
+}
+```
+
+- Specify several sources to get the IP from. They are tried in order:
+```json
+{
+  "name": "ip_check",
+  "configuration": {
+    "ips": [ "3.4.5.6", "1.2.3.0/4" ],
+    "check_type": "blacklist",
+    "client_ip_sources": ["X-Forwarded-For", "X-Real-IP", "last_caller"]
+  }
+}
+```
+
+To know more about the details of what is exactly supported please check the
+[policy config schema](apicast-policy.json).