Skip to main content

Security Rules

Introduction

You may want to restrict access for specific authentications, for example, allow a list of IP ranges only. This provides SSRF-protection for DNS resolution and IP validation before requests. Every authentication mode has common configurations of security rules to harden API securities such as:

  • IP Allow List.
  • Header validations.

IP Allow List

How it works

RelyAuth finds client IPs from request headers and validates it with the allow list in the configuration. You can also configure explicit header names if they are custom headers.

Default IP Headers list
CF-Connecting-IP
True-Client-IP
X-Real-IP
X-Forwarded-For
Make sure IP headers exist

IP headers may be discarded by the gateway, proxy. You should check the docs to know the exact headers. If you use Hasura auth webhook, you should configure the POST method and forward IP headers.

Configuration

In the authentication definition, add the allowedIPs setting in the securityRules object.

version: v1
kind: RelyAuth
definition:
  modes:
    - mode: apiKey
      # ...
      securityRules:
        allowedIPs:
          position: rightmost
          publicOnly: true
          include:
            value:
              - "192.168.0.1"
              - "192.168.1.0/24"
          exclude:
            env: EXCLUDE_IPS
  • include: list of IP ranges that are allowed to authenticate. This list are prioritized and can bypass other rules.
  • exclude: list of IP ranges that are banned from this authentication mode.
  • publicOnly: only public IPs are allowed. If it is enabled, the following IPs are blocked:
    • Private (10.x, 172.16-31.x, 192.168.x)
    • Loopback (127.x, ::1)
    • Link-local (169.254.x, fe80::) - includes AWS metadata!
    • Reserved, unspecified
    • RFC6598 Carrier-Grade NAT (100.64.0.0/10) - can point to internal networks
  • position: specify the position of the IP if the header value contains multiple IPs when the request are sent through proxies. It is an enum of the following values:
    • rightmost: (default) the last IP in the list.
    • leftmost: the first IP in the list.
    • edge: either of the leftmost or rightmost IP.

Both fields accept an array of IP string values or an environment variable. The format of environment variables are comma-separated string, for example, 192.168.0.1,192.168.0.2.

Header Validations

How it works

You can set extra rules to validate non-auth headers, such as Origin or User-Agent.

Use POST method

You should configure the POST method in the webhook mode and forward desired headers. Hasura engines ignore common headers to avoid overlapping the webhook request.

Configuration

In the authentication definition, add the headerRules setting in the securityRules object. This setting is an object with keys are header names.

version: v1
kind: RelyAuth
definition:
  modes:
    - mode: apiKey
      # ...
      securityRules:
        headerRules:
          origin:
            include:
              value:
                - localhost
                - ^https://example.com$
            exclude:
              env: EXCLUDE_ORIGINS
  • include: list of header values that are allowed to authenticate.
  • exclude: list of header values that are banned from this authentication mode.

Both fields accept an array of regular expression string values or an environment variable. The format of environment variables are comma-separated string, for example, localhost,https://example.com.