The request-block plug-in blocks HTTP requests that match specific URLs, request headers, or request bodies. Use it to prevent internal or sensitive resources -- such as Swagger API pages -- from being exposed through the gateway.
Plug-in type: Security protection
When to use this plug-in
| Scenario | Matching field |
|---|---|
| Block access to specific URL paths or query strings | block_urls |
| Block requests that contain certain header keys or values | block_headers |
| Block requests whose body contains specific content | block_bodys |
| Scope blocking rules to individual routes or domain names | Route-level or domain-level configuration |
Fields
| Name | Data type | Required | Default | Description |
|---|---|---|---|---|
block_urls | array of string | No | - | URLs that are used to match the requests to be blocked. Example: ["swagger.html", "foo=bar"] |
block_headers | array of string | No | - | Headers that are used to match the requests to be blocked. Example: ["example-key", "example-value"] |
block_bodys | array of string | No | - | Bodies that are used to match the requests to be blocked. Example: ["hello world"] |
blocked_code | number | No | 403 | HTTP status code returned when a request is blocked. |
blocked_message | string | No | - | HTTP response body returned when a request is blocked. |
case_sensitive | bool | No | true | Whether matching is case-sensitive. Set to false to ignore case. |
Configure at least one of block_urls, block_headers, or block_bodys. The plug-in requires at least one matching rule.
Configuration examples
Block requests by URL
Block any request whose URL contains swagger.html or foo=bar. With case_sensitive set to false, matching ignores case.
block_urls:
- swagger.html
- foo=bar
case_sensitive: falseBoth of the following requests are blocked:
# "foo=Bar" matches "foo=bar" (case-insensitive)
curl http://example.com?foo=Bar
# "Swagger.html" matches "swagger.html" (case-insensitive)
curl http://example.com/Swagger.htmlExpected response:
HTTP/1.1 403 ForbiddenBlock requests by header
Block any request whose header key or value contains example-key or example-value.
block_headers:
- example-key
- example-valueBoth of the following requests are blocked:
# Header key "example-key" matches
curl http://example.com -H 'example-key: 123'
# Header value "example-value" matches
curl http://example.com -H 'my-header: example-value'Expected response:
HTTP/1.1 403 ForbiddenBlock requests by body
Block any request whose body contains hello world. With case_sensitive set to false, matching ignores case.
block_bodys:
- "hello world"
case_sensitive: falseBoth of the following requests are blocked:
# "Hello World" matches "hello world" (case-insensitive)
curl http://example.com -d 'Hello World'
# Exact match
curl http://example.com -d 'hello world'Expected response:
HTTP/1.1 403 ForbiddenScope rules to specific routes or domain names
Blocking rules can target specific routes or domain names defined in the gateway.
Route-level configuration -- applied to routes route-a and route-b:
block_bodys:
- "hello world"Domain-level configuration -- applied to *.example.com and test.com:
block_urls:
- "swagger.html"
block_bodys:
- "hello world"The routes
route-aandroute-bare those specified when the gateway routes are created. If a request matches a route, only the rules configured for that route take effect.If a request matches a domain name (such as
*.example.comortest.com), only the rules configured for that domain take effect.Rules are evaluated in order. Once a rule matches, subsequent rules are skipped.
Limitations
Request body size limit
When block_bodys is configured:
Bodies under 32 MB: Matched normally against
block_bodysrules.Bodies over 32 MB: Not matched against
block_bodysrules. If the request also does not match anyblock_urlsorblock_headersrules, it is not blocked.Bodies exceeding
DownstreamConnectionBufferLimits: The gateway returns413 Payload Too Large. To increase this limit, adjustDownstreamConnectionBufferLimitson the parameter configuration page.
Increasing DownstreamConnectionBufferLimits significantly increases gateway memory usage. Evaluate your memory capacity before changing this value.