Home About Blog

Can I whitelist IP addresses for my admin routes and deny everyone else access?

It may be helpful to block access to your admin routes except for certain users. You can achieve this using Varnish and a list of IP addresses to whitelist.

First you will want to define an ACL (Access control list) like the following in your default.vcl file:

acl whitelist {
    # Add as many IPs as you need here

For the next section, you need to have the std VMOD enabled:

import std; # see https://www.varnish-cache.org/docs/5.1/reference/vmod_std.generated.html

Next we will want to add some logic to our vcl_recv block to handle the requests to our admin routes. Since Varnish is in the reverse proxy chain, the client.ip variable is not the actual client’s IP address. So we will need to use the True-Client-IP header:

if  (req.url ~ "(some_admin_url_here)" && !(std.ip(req.http.True-Client-IP, "") ~ whitelist)) {
    return (synth(403, "Access denied"));

Now any end user requesting your admin URL will not gain access, unless there IP address is listed in the whitelist ACL.