The module blocks access to REST API endpoints that require authentication. Only the IP addresses defined in the allowed list will have access granted.

The module supports IPv4 and IPv6.

Installation

Admin settings

The module is activated by default and will block all requests not defined in the allow list (even when the list of allowed IPs is empty).

Configuration can be found in two places:

Stores -> Configuration -> Services -> Magento Web API -> Web API Security

Open

 

System -> Extensions -> Integrations -> {Select Integration} -> {Change Tab} IP Restriction

 

Open

 

PHP function fnmatch is used for IP matching so * is allowed to define groups of addresses

Bypass Headers

IP restriction can be bypassed by defining bypass headers in the configuration and passing it along with the API request. Header name and value can be defined as a wildcard pattern. Allowed matching conditions as used in fnmatch function.

Backend

The module implements a plugin for the \Magento\Webapi\Controller\Rest\RequestValidator class.

Frontend

There are no frontend functionalities in the module.