http
An http clients list specifies which external systems (web applications, API
gateways, automation tools, integration services) are permitted to send HTTP /
REST style requests to a server (for example a management or authentication HTTP
endpoint). Any request originating from an IP address not matching a configured
client entry in a referenced list is silently discarded or rejected (depending
on server layer logic), providing a first layer of network access control.
Syntax
clients {
http "API_CLIENTS" {
client "internal-app" {
source {
ip 192.168.50.0/24;
ip 2001:db8:1234:50::/64;
}
timeout 30;
pre-policy {
# Optional: tag request, early validation, rate hints
}
post-policy {
# Optional: auditing or response enrichment
}
}
client "batch-jobs" {
source { ip 10.20.5.10; }
secret "NotUsedHere"; # (If future auth extensions require)
}
}
}
Elements
| Element / Block | Required | Description |
|---|---|---|
http "LIST_NAME" { ... } | Yes (≥1 if you need HTTP client filtering) | Declares a list grouping HTTP clients |
client "NAME" { ... } | Yes | A single logical client (single host or group alias) |
source { ip …; } | Yes | One or more IPv4/IPv6 addresses or CIDR ranges |
timeout <seconds>; | No | Override request handling timeout for this client |
pre-policy { … } | No | Executed before main request / AAA pipeline |
post-policy { … } | No | Executed after pipeline finishes |
statistics { … } | No (if supported) | Per-client statistics configuration |
Source Block
Multiple ip statements may appear:
source {
ip 192.168.50.12;
ip 192.168.51.0/24;
ip 2001:db8:1234:51::/64;
}
Order is irrelevant; matching stops once any entry matches.
Timeout
If set, applies a per-request upper bound (seconds) for operations associated with that client. Use only if a subset of clients are known to require different SLA handling. Otherwise rely on global defaults.