- HTTPProxy Fundamentals
- Gateway API Support
- Ingress v1 Support
- Virtual Hosts
- Inclusion and Delegation
- TLS Termination
- Upstream TLS
- Request Routing
- External Service Routing
- Request Rewriting
- Upstream Health Checks
- Client Authorization
- TLS Delegation
- Rate Limiting
- Access logging
- Cookie Rewriting
- Overload Manager
- JWT Verification
- IP Filtering
- Annotations Reference
- Slow Start Mode
- Tracing Support
- API Reference
- Deployment Options
- Contour Configuration
- Upgrading Contour
- Enabling TLS between Envoy and Contour
- Redeploy Envoy
- Deploying Contour on AWS with NLB
- AWS Network Load Balancer TLS Termination with Contour
- Deploying HTTPS services with Contour and cert-manager
- External Authorization Support
- FIPS 140-2 in Contour
- Using Gatekeeper with Contour
- Using Gateway API with Contour
- Global Rate Limiting
- Configuring ingress to gRPC services with Contour
- Health Checking
- Creating a Contour-compatible kind cluster
- Collecting Metrics with Prometheus
- How to Configure PROXY Protocol v1/v2 Support
- Contour/Envoy Resource Limits
- Envoy Administration Access
- Contour Debug Logging
- Envoy Debug Logging
- Visualize the Contour Graph
- Show Contour xDS Resources
- Profiling Contour
- Envoy Container Stuck in Unready State
- Support Policy
- Compatibility Matrix
- Contour Deprecation Policy
- Release Process
- Frequently Asked Questions
Contour supports filtering requests based on the incoming ip address using Envoy’s RBAC Filter.
Requests can be either allowed or denied based on a CIDR range specified on the virtual host and/or individual routes.
If the request’s IP address is allowed, the request will be proxied to the appropriate upstream. If the request’s IP address is denied, an HTTP 403 (Forbidden) will be returned to the client.
Rules are specified with the
ipDenyPolicy fields on
apiVersion: projectcontour.io/v1 kind: HTTPProxy metadata: name: basic spec: virtualhost: fqdn: foo-basic.bar.com ipAllowPolicy: # traffic is allowed if it came from localhost (i.e. co-located reverse proxy) - cidr: 127.0.0.1/32 source: Peer routes: - conditions: - prefix: / services: - name: s1 port: 80 # route-level ip filters override the virtualhost-level filters ipAllowPolicy: # traffic is allowed if it came from localhost (i.e. co-located reverse proxy) - cidr: 127.0.0.1/32 source: Peer # and the request originated from an IP in this range - cidr: 18.104.22.168/16 source: Remote
Specifying CIDR Ranges
CIDR ranges may be ipv4 or ipv6. Bare IP addresses are interpreted as the CIDR range containing that one ip address only.
Allow vs Deny
Filters are specified as either allow or deny:
ipAllowPolicyonly allows requests that match the ip filters.
ipDenyPolicydenies all requests unless they match the ip filters.
Allow and deny policies cannot both be specified at the same time for a virtual host or route.
source field controls how the ip address is selected from the request for filtering.
source: Peerfilter rules will filter using Envoy’s direct_remote_ip, which is always the physical peer.
source: Remotefilter rules will filter using Envoy’s remote_ip, which may be inferred from the X-Forwarded-For header or proxy protocol.
source: Remote with
X-Forwarded-For, it may be necessary to configure Contour’s
Virtual Host and Route Filter Precedence
IP filters on the virtual host apply to all routes included in the virtual host, unless the route specifies its own rules.
Rules specified on a route override any rules defined on the virtual host, they are not additive.