help request: ip-restriction doesn't work

[tian67890]

Description

apisix version 3.3 the plugin ip-restriction is set up in config.yaml but our whitelist configured in the route doesn't work

Environment

• APISIX version (run apisix version): 3.3
• Operating system (run uname -a):
• OpenResty / Nginx version (run openresty -V or nginx -V):
• etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):
• APISIX Dashboard version, if relevant:
• Plugin runner version, for issues related to plugin runners:
• LuaRocks version, for installation issues (run luarocks --version):

[juzhiyuan]

Hi @tian67890, please paste your complete configurations and detailed steps to reproduce your case. This will be easier for us to know what happened exactly.

[tian67890]

@juzhiyuan a complete json as following:

{
  "uri": "/*",
  "name": "kuboard",
  "methods": [
    "GET",
    "POST",
    "PUT",
    "DELETE",
    "PATCH",
    "HEAD",
    "OPTIONS",
    "CONNECT",
    "TRACE",
    "PURGE"
  ],
  "host": "kuboard.xxx.com",
  "plugins": {
    "ip-restriction": {
      "disable": false,
      "whitelist": [
        "61.148.62.179",
        "172.0.0.0/8",
        "127.0.0.1"
      ]
    }
  },
  "upstream": {
    "nodes": [
      {
        "host": "172.30.160.7",
        "port": 80,
        "weight": 1
      }
    ],
    "timeout": {
      "connect": 60,
      "send": 60,
      "read": 60
    },
    "type": "roundrobin",
    "scheme": "http",
    "pass_host": "pass",
    "keepalive_pool": {
      "idle_timeout": 60,
      "requests": 1000,
      "size": 320
    }
  },
  "enable_websocket": true,
  "status": 1
}

[tian67890]

apisix runs in a container of the k8s cluster，section of plugins configuration is like this:

plugin_attr:
  log-rotate:
    interval: 3600    # rotate interval (unit: second)
    max_kept: 168     # max number of log files will be kept
    max_size: -1      # max size of log files will be kept
    enable_compression: false    # enable log file compression(gzip) or not, default false      
plugins:    # plugin list
  - api-breaker
  - authz-keycloak
  - basic-auth
  - batch-requests
  - consumer-restriction
  - cors
  - echo
  - fault-injection
  - file-logger
  - grpc-transcode
  - hmac-auth
  - http-logger
  - ua-restriction
  - jwt-auth
  - kafka-logger
  - key-auth
  - limit-conn
  - limit-count
  - limit-req
  - node-status
  - openid-connect
  - authz-casdoor
  - authz-casdoor-user
  - authz-casbin
  - prometheus
  - proxy-cache
  - proxy-mirror
  - proxy-rewrite
  - redirect
  - referer-restriction
  - request-id
  - request-validation
  - response-rewrite
  - serverless-post-function
  - serverless-pre-function
  - sls-logger
  - syslog
  - tcp-logger
  - udp-logger
  - uri-blocker
  - wolf-rbac
  - zipkin
  - traffic-split
  - gzip
  - real-ip
  - ext-plugin-pre-req
  - ext-plugin-post-req
  - log-rotate
stream_plugins:
  - mqtt-proxy
  - limit-conn 
  - ip-restriction

[tian67890]

how do i resolve it ? apisix log shows the plugin ip-restriction has been loaded normally. Is there some configuration or steps missing ?

[sheharyaar]

@shreemaan-abhishek , I would like to take this up.

[sheharyaar]

Hi @tian67890 , I tried to reproduce your issues with version 3.7, I was unable to reproduce the issue, the plugin seemed to work fine. Can you please share you access and error logs ?? Also please mention the request (the request IP and the headers) and response code you are getting, and other helpful information, if available.

[sheharyaar]

@tian67890 , any updates ??

[Vacant2333]

@sheharyaar i think u can try this on APISIX 3.3?

[deuspt]

@tian67890 you might want to check that you have ip-restriction in the plugins list (not stream_plugins). Also if you're behind a proxy/lb you might need to map the real client IPs that should be validated with the whitelist.