I want to give limit access only allow some address to access my restful API, I using symfony and nelmio cors bundle.
this is my config from documetation :
nelmio_cors:
defaults:
allow_credentials: false
allow_origin: []
allow_headers: []
allow_methods: []
expose_headers: []
max_age: 0
hosts: []
origin_regex: false
forced_allow_origin_value: ~
paths:
'^/api':
allow_origin: ['192.0.74.122']
allow_headers: ['X-Custom-Auth']
allow_methods: ['POST', 'PUT', 'DELETE']
max_age: 3600
'^/':
origin_regex: true
allow_origin: ['^http://localhost:[0-9]+']
allow_headers: ['X-Custom-Auth']
allow_methods: ['POST', 'PUT', 'GET', 'DELETE']
max_age: 3600
hosts: ['^api\.']
I want to set 192.0.74.122 only allowed to access the ^/api and ^/api/*, but when I test in browser, postman and jquery ajax call, it can be from localhost or 127.0.0.1.
please help me how to block from other address beside the allowed addresses?
Nelmio cors bundle is about setting CORS headers not about blocking or restricting access to specific routes.
Use access_control entries in your security.yml for that. Example (not tested):
# config/security.yml
security:
# ...
access_control:
- { path: ^/api, role: IS_AUTHENTICATED_ANONYMOUSLY, ip: 192.0.74.122 }
- { path: ^/api, role: ROLE_NO_ACCESS }
You can set multiple IPs or even ranges. See the official cookbook page a for detailed explanation.