Allows you to restrict HTTP/HTTPS access by IP address, CIDR range, and User-Agent string.
You can also apply bandwidth limits per rule.
- IP/CIDR filtering - Allow or deny access from specific IP addresses or network ranges
- User-Agent filtering - Match requests based on User-Agent string patterns (regex)
- Bandwidth limiting - Throttle download speeds for specific clients
- Separate HTTP/HTTPS control - Apply rules independently to HTTP and HTTPS connections
- Priority-based evaluation - Rules are evaluated in priority order (highest first)
- Default allow - If no rules are defined, all access is permitted
¶ Rule Evaluation
- When a request arrives, the system loads all enabled rules sorted by priority (highest first)
- Each rule is evaluated against the request's IP address and User-Agent
- The first matching rule determines the action:
- allow - Request proceeds normally
- deny - Request is rejected with 403 Forbidden
- limit - Request proceeds with bandwidth throttling
- If no rules match, the request is allowed (default open policy)
¶ Matching Logic
A rule matches a request when ALL of its conditions are met:
- If
ip_addressis set, the client IP must match (exact IP or within CIDR range) - If
user_agent_matchis set, the User-Agent header must match the regex pattern - The rule must apply to the connection type (HTTP or HTTPS)
- The rule must be enabled
¶ Web Console
Access the security rules management page at /security in the web console.
The interface allows you to:
- View all security rules in a table
- Create new rules with a form
- Edit existing rules
- Delete rules
- View statistics (total, active, deny, allow, limit rules)
- Reload rules from database
¶ RESTAPI
All APIs require authentication and admin privileges.GET /api/console/security/rules
List all rules
Response:
{ "status": "success", "rules": [ { "id": 1, "name": "Block bad bots", "type": "deny", "priority": 100, "enabled": true, "ip_address": "", "user_agent_match": ".*(BadBot|Scraper).*", "bandwidth_limit": 0, "apply_to_http": true, "apply_to_https": true, "description": "Block known bad bots" } ]}
POST /api/console/security/rules/create
Create Rule
Content-Type: application/json{ "name": "Limit external access", "type": "limit", "priority": 50, "enabled": true, "ip_address": "0.0.0.0/0", "user_agent_match": "", "bandwidth_limit": 1048576, "apply_to_http": true, "apply_to_https": true, "description": "Limit all external access to 1 MB/s"}
Response:{ "status": "success", "id": 2}
POST /api/console/security/rules/update
Update RuleContent-Type: application/json{ "id": 2, "name": "Limit external access", "type": "limit", "priority": 50, "enabled": true, "ip_address": "0.0.0.0/0", "bandwidth_limit": 524288, "apply_to_http": true, "apply_to_https": true}
POST /api/console/security/rules/delete
Delete Rule
Content-Type: application/json{ "id": 2}
GET /api/console/security/stats
Get Statistics
Response:
{ "total": 5, "active": 4, "deny": 2, "allow": 1, "limit": 1}
POST /api/console/security/reload
Reload Rules - Force reload rules from database (useful after manual database changes)