Skip to content

dynamic allowlisting on host and ip prefix#937

Draft
mike-jc wants to merge 1 commit into
cloudfoundry:masterfrom
sap-contributions:allowlist-by-ip-prefix
Draft

dynamic allowlisting on host and ip prefix#937
mike-jc wants to merge 1 commit into
cloudfoundry:masterfrom
sap-contributions:allowlist-by-ip-prefix

Conversation

@mike-jc

@mike-jc mike-jc commented Jun 22, 2026

Copy link
Copy Markdown
Contributor
  • HAProxy config adds request blocking logic:
    • Source IP is converted to binary
    • Two lookup keys are built: domain|ip-version|ip-binary for the exact hostname, and .parent-domain|ip-version|ip-binary for all subdomains
      • IP version is introduced to differentiate binary prefixes for IPv4 and IPv6
    • Both keys are checked against the ACL list; if neither matches, the request is rejected with 403
    • The ACL list is loaded from the file on startup and can be updated at runtime via HAProxy socket using add acl / del acl commands
  • Config flag and generation of initial ACL list is done in product (PR 111764)

@mike-jc mike-jc force-pushed the allowlist-by-ip-prefix branch from 4ab36c7 to 3fea9a2 Compare June 25, 2026 12:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Development

Successfully merging this pull request may close these issues.

1 participant