The request-block plugin blocks HTTP requests that match specific URL, header, or body patterns, helping you prevent external access to protected resources.
Plugin type
Security protection plugin.
Configuration fields
You must configure at least one of block_urls, block_headers, or block_bodys.
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
block_urls |
array of string | No | - | URL patterns to match against request paths and query strings. |
block_headers |
array of string | No | - | Patterns to match against request header names and values. |
block_bodys |
array of string | No | - | Patterns to match against request body content. |
blocked_code |
number | No | 403 | HTTP status code returned to blocked requests. |
blocked_message |
string | No | - | Response body returned to blocked requests. |
case_sensitive |
bool | No | true | Specifies whether matching is case-sensitive. Set to false for case-insensitive matching. |
Examples
Block requests by URL
block_urls:
- swagger.html
- foo=bar
case_sensitive: false
Blocked requests:
curl http://example.com?foo=Bar
curl http://example.com/Swagger.html
Because case_sensitive is set to false, foo=Bar matches the foo=bar rule, and Swagger.html matches the swagger.html rule.
Block requests by header
block_headers:
- example-key
- example-value
Blocked requests:
curl http://example.com -H 'example-key: 123'
curl http://example.com -H 'my-header: example-value'
The first request matches because its header name contains example-key. The second request matches because its header value contains example-value.
Block requests by body
block_bodys:
- "hello world"
case_sensitive: false
Blocked requests:
curl http://example.com -d 'Hello World'
curl http://example.com -d 'hello world'
Both requests match because case_sensitive is set to false.
Apply rules to specific routes or domains
You can define separate blocking rules for different routes and domains. Rules are evaluated in order, and the first matching rule takes effect.
The following configuration applies to the route-a and route-b routes:
block_bodys:
- "hello world"
The following configuration applies to the *.example.com and test.com domains:
block_urls:
- "swagger.html"
block_bodys:
- "hello world"
-
route-aandroute-brefer to routes specified when you create gateway routes. If a client request matches one of these routes, the corresponding rules take effect. -
*.example.comandtest.commatch domain names in requests. If a client request matches one of these domains, the corresponding rules take effect. -
Rules take effect in order. After the first rule matches, subsequent rules are skipped.
Request body size limit
When block_bodys is configured, body matching applies only to requests smaller than 32 MB. Requests larger than 32 MB that do not match any block_urls or block_headers rules are allowed through without being blocked.
If block_bodys is configured and the request body exceeds the DownstreamConnectionBufferLimits value configured for the gateway, the gateway returns a 413 Payload Too Large error. To increase this limit, adjust DownstreamConnectionBufferLimits on the parameter configuration page.
Increasing DownstreamConnectionBufferLimits significantly increases gateway memory usage. Adjust this value with caution.