SecurityOptions IPAllowedList not blocking IPs outside list (Whitelist not enforced) ocelot version (23.4.2) & .Net version 8Β #88
Description
Hello Ocelot team / community,
I am using Ocelot version [insert version] (.NET [insert version]) and trying to implement a whitelist behavior using SecurityOptions. My ocelot.json (route-specific) config for a route looks like:
"SecurityOptions": {
"IPBlockedList": [ "172.16.40.240", "::/0" ],
"IPAllowedList": [ "192.168.0.15", "172.16.40.248", "127.0.0.1", "::1" ],
"ExcludeAllowedFromBlocked": true
}
What I expect:
Only the IPs in IPAllowedList should be allowed.
All other IPs (including 172.16.40.240, and any other external IP) should be blocked.
What I observe:
Any IP is getting through (requests from IPs not in IPAllowedList succeed).
Even though IPBlockedList includes ::/0 which should block all IPv6 addresses not explicitly allowed, this is not working.
So behavior is not matching whitelist.