Skip to content

IP-Block-Ltd/ipblock-envoy

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

⚠️ Status: untested. This extension is provided as-is and has not been tested in production. Please feel free to fork, modify, improve, and open pull requests.

Licensed under GNU GPLv3 (see LICENSE).

IP Block for Envoy (ext_authz)

An Envoy ext_authz integration: a small external authorization HTTP service (Go) that consults the ip-block.com decision API, plus the Envoy config that wires the ext_authz filter to it.

  • Tested against: Envoy 1.38.x (latest stable, 2026).
  • Mode: HTTP ext_authz (no gRPC/proto dependencies — the service is plain net/http).

Files

File Purpose
main.go The ext_authz HTTP check server.
go.mod Module (standard library only).
envoy.yaml Envoy listener + ext_authz filter + clusters.

How it works

client -> Envoy (listener :8080)
             |  ext_authz HTTP check (1s timeout)
             v
        ip-block service (:9000)  --POST /v1/check-->  api.ip-block.com
             |  200 allow / 403 block / 302 redirect
             v
   allow: proxy to app_service   |   block: Envoy returns the deny response

The service returns 200 to allow, 403 to block (or 302 with Location when IPB_BLOCK_ACTION=redirect). Envoy relays a non-2xx auth response straight to the client.

Build & run the service

cd extensions/Envoy
go build -o ip-block-authz .

IPB_SITE_ID=your-site-id \
IPB_API_KEY=your-api-key \
IPB_LISTEN=:9000 \
./ip-block-authz

(You can also run it under systemd; it is a normal long-lived HTTP server.)

Configure Envoy

Merge the ext_authz http filter and the ip_block_authz cluster from envoy.yaml into your config. Key points:

  • http_service.server_uri.timeout: 1s enforces the 1-second budget.
  • failure_mode_allow: true makes Envoy fail open if the auth service itself is unreachable (the service also fails open on ip-block.com API errors internally).
  • authorization_request.allowed_headers forwards x-forwarded-for, user-agent and referer to the checker.
  • authorization_response.allowed_client_headers lets the Location/Content-Type from a deny response reach the client (needed for redirect blocking).
  • use_remote_address: true + xff_num_trusted_hops ensure Envoy computes a correct X-Forwarded-For; the service reads the left-most entry as the client IP.

Configuration (environment variables)

Var Default Meaning
IPB_LISTEN :9000 Listen address of the check service.
IPB_ENABLED 1 Master switch (0 = always allow).
IPB_SITE_ID — (required) Site id.
IPB_API_KEY — (required) API key (JSON body).
IPB_API_URL https://api.ip-block.com/v1/check Endpoint.
IPB_FAIL_OPEN 1 Allow on error/timeout; 0 fails closed.
IPB_CACHE_TTL 300 Per-IP cache seconds (0 disables).
IPB_TIMEOUT_MS 1000 API timeout.
IPB_REAL_IP_HEADER X-Forwarded-For Header carrying the client IP.
IPB_BLOCK_ACTION 403 403 or redirect.
IPB_BLOCK_REDIRECT https://www.ip-block.com/blocked.php Redirect target.
IPB_BLOCK_MESSAGE Access denied. 403 body.
IPB_WHITELIST Comma-separated IPs never checked.

Behaviour

  • Blocks only on {"action":"block"}; otherwise allows (subject to IPB_FAIL_OPEN).
  • API errors are not cached; the next request retries. allow/block decisions are cached for IPB_CACHE_TTL.
  • Whitelisted IPs short-circuit before the cache/API.
  • GET /healthz returns 200 for readiness/liveness probes.

Notes

  • The cache is in-memory per service instance. Run one instance per Envoy (or a small pool); each keeps its own short-TTL cache.
  • For very high throughput, front the service with several replicas behind the ip_block_authz cluster and/or swap the in-memory cache for Redis.

About

IP Block protection for Envoy — ip-block.com integration. Untested at the moment; please feel free to modify. GPLv3.

Topics

Resources

License

Contributing

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages