APISIX Access Control Guide
APISIX Access Control Architecture
Introduction
Access control in APISIX provides robust security mechanisms to protect your APIs. This guide covers IP restrictions, authentication policies, and authorization methods.
IP-based Access Control
IP Allow/Deny Lists
curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/admin/*",
"plugins": {
"ip-restriction": {
"whitelist": [
"192.168.1.0/24",
"10.20.0.0/16"
]
}
}
}'Key Authentication
API Key Configuration
curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"username": "consumer1",
"plugins": {
"key-auth": {
"key": "auth-one"
}
}
}'JWT Authentication
JWT Token Setup
curl http://127.0.0.1:9080/apisix/admin/routes/2 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/secure/*",
"plugins": {
"jwt-auth": {
"key": "user-key",
"secret": "my-secret-key"
}
}
}'Role-Based Access Control (RBAC)
RBAC Configuration
curl http://127.0.0.1:9080/apisix/admin/routes/3 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/admin/*",
"plugins": {
"authz-keycloak": {
"token_endpoint": "http://127.0.0.1:8090/auth/realms/master/protocol/openid-connect/token",
"permissions": ["admin.write", "admin.read"]
}
}
}'
Note: Always combine multiple security layers for robust access control.
Rate Limiting
Request Rate Control
curl http://127.0.0.1:9080/apisix/admin/routes/4 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/api/*",
"plugins": {
"limit-count": {
"count": 100,
"time_window": 60,
"rejected_code": 429
}
}
}'Best Practices
Security Recommendations
- Implement multiple layers of security
- Use strong authentication methods
- Regularly audit access logs
- Keep policies up to date
- Monitor for suspicious activities
