IP filtering
The [security.ip_filter] block controls which client IPs may connect, using IPv4/IPv6 CIDR ranges. Dynamic — changes apply on reload without restarting the process.
There is no GeoIP or ASN filtering in the proxy itself.
disabled: no IP-based blocking (default in many examples).allowlist: only listed networks can reach the proxy. An empty allowlist denies all traffic.denylist: listed networks are blocked. An empty denylist allows all traffic.
Disabled (default in many examples)
Section titled “Disabled (default in many examples)”security: ip_filter: mode: "disabled"[security.ip_filter]mode = "disabled"Allowlist (only these networks can reach the proxy)
Section titled “Allowlist (only these networks can reach the proxy)”security: ip_filter: mode: "allowlist" allowlist: - "127.0.0.1/32" - "::1/128" - "10.0.0.0/8"[security.ip_filter]mode = "allowlist"allowlist = [ "127.0.0.1/32", "::1/128", "10.0.0.0/8",]Denylist (block specific ranges)
Section titled “Denylist (block specific ranges)”security: ip_filter: mode: "denylist" denylist: - "198.51.100.0/24"[security.ip_filter]mode = "denylist"denylist = ["198.51.100.0/24"]Related
Section titled “Related”- Security: connection limits, security headers, trusted forwarding
- Rate limiting:
[security.rate_limit] - Configuration overview