Access Policies
Restrict access by IP ranges and GeoIP.
Access policies restrict inbound connections before authentication and before requests reach upstream services. Policies are configured on a tunnel and enforced by the engine.
The current policy model supports trusted IP restrictions and GeoIP country restrictions. Policies apply to public tunnels and are evaluated early in the forwarding path.
Trusted IPs
Trusted IP policies define which client IP addresses are allowed to connect. Entries accept single IP values and CIDR ranges. Values are normalized and deduplicated by the engine.
On HTTP tunnels, denied connections return 403 Forbidden. On stream-based forwarding paths, denied connections are closed.
GeoIP restrictions
GeoIP policies restrict access by country code derived from the client IP address. Entries are ISO 3166-1 alpha-2 country codes and are normalized to uppercase.
GeoIP checks are evaluated after trusted IP checks.