Manual Chapter :
Developing a whitelist or blacklist for API requests
Applies To:
Show VersionsBIG-IP APM
- 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Developing a whitelist or blacklist for API requests
You can create a whitelist and a blacklist
within an API protection profile so you need to have created a profile, and specified
keys with key values to classify requests.
You can optionally add a whitelist and a
blacklist to allow or block certain requests identified by specific key values defined
on the Rate Limiting tab.
- On the Main tab, click.
- Click the name of the API protection profile for which you are creating a whiltelist or a blacklist for rate limiting.
- On the Rate Limiting tab, in the Black/White List section, clickCreate.The Rate Limiting Properties section opens where you define the rate limiting configuration.
- ForName, type a name for the blacklist or whitelist.
- ForKey, select the key to which the whitelist or blacklist applies.
- ForType, select the type of list:
- SelectBlacklistto specify key and key values that determine when to reject a request before it affects the quota or the spike. For example, you can identify bad actors for this key in a blacklist.
- SelectWhitelistto specify key and key values that determine when to accept a request without affecting the quota. For example, you can allow system administrators to access the API server without affecting the quota or the spike by adding them to a whitelist.
- ForList Values, type one or more values that identify the API requests to add to the whitelist or blacklist and clickAdd.
- When you are done developing the blacklist and whitelist, at the bottom of the screen, clickSave.
When you add API Rate Limiting to the policy,
in the agent you have to option to enable or disable the blacklist and whitelist, and
specify a response. If enabled, API requests identified by the blacklist are sent to the
fallback branch and sent a response, if one is selected. API requests identified by the
whitelist, if enabled, are allowed, and those requests do not affect the quota or spike
arrest counts.
Next, you need to add an API Rate Limiting
agent to the API protection per-request policy.