Manual Chapter : Developing a whitelist or blacklist for API requests

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Developing a whitelist or blacklist for API requests

You can create a whitelist and a blacklist within an API protection profile so you need to have created a profile, and specified keys with key values to classify requests.
You can optionally add a whitelist and a blacklist to allow or block certain requests identified by specific key values defined on the Rate Limiting tab.
  1. On the Main tab, click
    Access
    API Protection
    Profile
    .
  2. Click the name of the API protection profile for which you are creating a whiltelist or a blacklist for rate limiting.
  3. On the Rate Limiting tab, in the Black/White List section, click
    Create
    .
    The Rate Limiting Properties section opens where you define the rate limiting configuration.
  4. For
    Name
    , type a name for the blacklist or whitelist.
  5. For
    Key
    , select the key to which the whitelist or blacklist applies.
  6. For
    Type
    , select the type of list:
    • Select
      Blacklist
      to specify key and key values that determine when to reject a request before it affects the quota or the spike. For example, you can identify bad actors for this key in a blacklist.
    • Select
      Whitelist
      to specify key and key values that determine when to accept a request without affecting the quota. For example, you can allow system administrators to access the API server without affecting the quota or the spike by adding them to a whitelist.
  7. For
    List Values
    , type one or more values that identify the API requests to add to the whitelist or blacklist and click
    Add
    .
  8. When you are done developing the blacklist and whitelist, at the bottom of the screen, click
    Save
    .
When you add API Rate Limiting to the policy, in the agent you have to option to enable or disable the blacklist and whitelist, and specify a response. If enabled, API requests identified by the blacklist are sent to the fallback branch and sent a response, if one is selected. API requests identified by the whitelist, if enabled, are allowed, and those requests do not affect the quota or spike arrest counts.
Next, you need to add an API Rate Limiting agent to the API protection per-request policy.