Configure client lists
Reduce harmful security attacks by allowing only trusted IP/CIDRs, locations, autonomous system numbers, and TLS fingerprints to access your services and content.
What you'll do
Create and activate a client list to use with other Akamai services.
1. Create a client list
Each client list is of a certain type. To create a client list, choose a list type and add entries of that type using the items
blocks.
Type | Description | Entry limit |
---|---|---|
IP | IPv4 and/or IPv6 addresses. | 10,000 |
GEO | Request's country of origin. | 275 |
ASN | Autonomous system numbers with a decimal value between 0 and 4294967295 . | 100 |
FILE_HASH | SHA-256 file hashes | 100 |
TLS_FINGERPRINT | Signals from data shared during the initial handshake between an HTTPS client and your server. | 100 |
Optionally, you can create and add up to five tags to help filter and sort searches against your list. Tag strings can use any character except a comma or semicolon and are limited to 256 characters. Use the tags within your items entries.
Configure your client list using the akamai_clientlist_list resource.
resource "akamai_clientlist_list" "my_client_list" {
name = "my_client_list"
type = "ASN"
notes = "Client list creation"
tags = ["tag1", "tag2", "tag3"]
contract_id = "12345"
group_id = 12345
items {
value = "1"
description = "Item one"
tags = ["tag1", "tag2"]
expiration_date = "2023-09-06T15:58:39.225+00:00"
}
items {
value = "2"
description = "Item two"
tags = ["tag2", "tag3"]
expiration_date = ""
}
items {
value = "3"
description = "Item three"
tags = ["tag1"]
expiration_date = ""
}
}
There's no standard output for this resource, but returned in the last line of the apply log is the client list ID.
2. Activate your client list
Use your client list ID to activate your client list on either the STAGING
or PRODUCTION
network.
resource "akamai_clientlist_activation" "my_activation" {
list_id = "123456_MYCLIENTLIST"
version = 1
network = "STAGING"
comments = "My activation comments"
notification_recipients = ["jsmith@example.com"]
}
3. Use your client list
To add your client list to your security configuration, include your client list's name or ID in one of these services as an allowlist or blocklist.
All of the changes here require a new version and reactivation of your AppSec configuration.
IP/GEO firewall
Use the respective client list ID in the geo_network_lists
, ip_network_lists
, and/or exception_ip_network_lists
arguments of the IP/GEO resource.
resource "akamai_appsec_ip_geo" "my_ip_geo_lists" {
config_id = 12345
security_policy_id = "12345"
mode = "block"
geo_network_lists = ["12345_GEO_LIST"]
ip_network_lists = ["12345_IP_LIST"]
exception_ip_network_lists = ["98765_EXCEPTION_LIST"]
}
Match Targets
-
Place a
bypassNetworkLists
object in yourmatch_targets.json
file with the name and ID of your client list.{ "bypassNetworkLists": { "id": "12345_MYCLIENTLIST", "name": "my_client_list" } }
-
Point the value of
match_target
to your updated JSON file.Uses the match target resource.
resource "akamai_appsec_match_target" "my_match_target" { config_id = 12345 match_target = file("${path.module}/match_targets.json") }
Pragma Headers
-
In an
excludeCondition
array, add your your client list's ID in thevalue
property of yourpragma_header.json
file.{ "excludeCondition": [ { "positiveMatch": true, "type": "networkList", "useHeaders": false, "value": [ "12345_MYCLIENTLIST" ] } ] }
excludeCondition: positiveMatch: The match condition for a policy's trigger. True or false. type: The condition's category. Client lists uses networkList. useHeaders: Whether the condition should include the X-Forwarded-For header. value: A list of match items. Use your client list's ID.
-
Point the value of
pragma_header
to your updated JSON file.Uses the pragma header resource.
resource "akamai_appsec_advanced_settings_pragma_header" "my_pragma_header" { config_id = 12345 security_policy_id = "gms1_12345" pragma_header = file("${path.module}/pragma_header.json") }
Client Reputation
-
Add your client list's ID to the
value
property of theatomicConditions
array in yourreputation_profile.json
file.{ "condition": { "atomicConditions": [ { "checkIps": "connecting", "className": "NetworkListCondition", "index": 1, "positiveMatch": true, "value": [ "12345_MYCLIENTLIST" ] } ], "positiveMatch": true } }
condition: atomicConditions: The conditions that trigger the rate policy. checkIps: The part of the request that determines the IP address to use. Use connecting for connecting IP addresses or or xff_headers for the X_Forwarded_For header. className: The type of condition. Client lists uses NetworkListCondition. index: positiveMatch: The match condition for a policy's trigger. True or false. value: A list of match items. Use your client list's ID. positiveMatch: The match condition for a policy's trigger. True or false.
-
Point the value of
reputation_profile
to your updated JSON file.Uses the reputation profile resource.
resource "akamai_appsec_reputation_profile" "my_reputation_profile" { config_id = 12345 reputation_profile = file("${path.module}/reputation_profile.json") }
Rate Policies
-
Use the
additionalMatchOptions
array with your client list's ID in thevalues
property to add a network list condition to yourrate_policies.json
file.{ "additionalMatchOptions": [ { "positiveMatch": true, "type": "NetworkListCondition", "values": [ "12345_MYCLIENTLIST" ] } ] }
additionalMatchOptions: positiveMatch: The match condition for a policy's trigger. True or false. type: The option's category. Client lists uses NetworkListCondition. values: A list of match items. Use your client list's ID.
-
Point the value of
rate_policy
to your updated JSON file.Uses the rate policy resource.
resource "akamai_appsec_rate_policy" "my_rate_policy" { config_id = 12345 rate_policy = file("${path.module}/rate_policy.json") }
Updated 4 months ago