Access control lists, or ACLs, are special request matching
statements that evaluate to true if the request came from one of the
predefined IP addresses. Access control lists are defined using the
ACL section statement. Each line within it defines a single
CIDR enclosed in double quotes. A CIDR consists of a network
address (IPv4 or IPv6), optionally followed by slash and network
mask length, a decimal number in the range [0,32] for IPv4 and [0.64]
for IPv6. For example:
ACL
"127.0.0.1/8"
"192.0.2.0/25"
End
Such anonymous ACLs can appear anywhere a matching statement is allowed.
If an ACL is intended for use in multiple places of the configuration
file, it can be defined as a named ACL. In a named ACL
declaration, the ACL keyword is followed by a symbolic name in
double quotes. This name must uniquely identify this ACL among other
access control lists. Named ACLs are allowed only in the global
(top-level) scope of a configuration file:
ACL "secure"
"127.0.0.1/8"
"192.0.2.0/25"
End
This ACL can then be used in any Service appearing after its
definition by using the following construct:
ACL "secure"
Consider for example the following service declaration:
Service
ACL "secure"
Path -beg "/stat"
Backend
...
End
End
This service will handle requests whose URL starts with ‘/stat’, if they came from one of the IP addresses mentioned in the access control list with the name ‘secure’. Effectively, this means that the access to that URL is limited to these IP addresses.