List Based Address Authorizer

An authorizer that supports white- and blacklisting direct and forwarded addresses (coming via a proxy).


  • WHITELISTED_DIRECT_ADDRESSES = A comma-separated list of IP addresses allowed direct access.
  • BLACKLISTED_DIRECT_ADDRESSES = A comma-separated list of IP addresses denied direct access.
  • WHITELISTED_FORWARDED_ADDRESSES = A comma-separated list of IP addresses allowed access as a forwarded address.
  • BLACKLISTED_FORWARDED_ADDRESSES = A comma-separated list of IP addresses denied access as a forwarded address.
  • MAX_FORWARDED_ADDRESSES = Number of IP addresses to inspect in the list of forwarded addresses. (Default: 1).

It is not possible to specify both a white list and a black list at the same time for each of direct and forwarded addresses. One of each list (direct and forwarded) must be specified. When specifying a whitelist for forwarded addresses, requests without an X-Forwarded-For header will always be denied. When there are multiple addresses in the X-Forwarded-For header (in the case of using multiple proxies) the number of addresses specified in MAX_FORWARDED_ADDRESSES counting from the end of the list (or the entire list if it is shorter than this) is considered for white- and blacklisting. If specified, MAX_FORWARDED_ADDRESSES must have a value >= 1. It is not allowed to set it 0 to disable checking forwarded addresses. RemoteAddressAuthorizer should be used in this case.


1. To accept requests from all direct addresses except for and for all forwarded addresses except and use:


2. To only accept direct requests from and and from the forwarded address use:


3. To only allow direct access from the proxy servers and but allow them to forward from all address except the to banned addresses and use:


4. To accept direct requests from all addresses except but only forwarded from use:


5. To accept direct request from a proxy server allowing forwarding from another proxy in turn proxying the request from the client with address use:


6. To blacklist a set of IP addresses, set the MAX_FORWARDED_ADDRESSES value to a value gauranteed to be larger than the number of proxies you have control over, like in the following example:


Logging: This authorizer will add the remote IP address to the log field AUTHORIZED_ADDRESS and the proxied address (if it's available in the request) in the log field AUTHORIZED_FORWARDED_ADDRESS.