Configure client lists
Beta
While the underlying code for our Client Lists subprovider has been vetted, we’ve placed the beta label here only to collect your feedback and work through any issues.
Reduce harmful security attacks by allowing only trusted IP/CIDRs, locations, autonomous system numbers, and TLS fingerprints to access your services and content.
What you'll do
Create and activate a client list to use with other Akamai services.
1. Create a client list
Each client list is of a certain type. To create a client list, choose a list type and add entries of that type using the items blocks.
| Type | Description | Entry limit |
|---|---|---|
IP | IPv4 and/or IPv6 addresses. | 10,000 |
GEO | Request's country of origin. | 275 |
ASN | Autonomous system numbers with a decimal value between 0 and 4294967295. | 100 |
FILE_HASH | SHA-256 file hashes | 100 |
TLS_FINGERPRINT | Signals from data shared during the initial handshake between an HTTPS client and your server. | 100 |
Optionally, you can create and add up to five tags to help filter and sort searches against your list. Tag strings can use any character except a comma or semicolon and are limited to 256 characters. Use the tags within your items entries.
Configure your client list using the akamai_clientlist_list resource.
resource "akamai_clientlist_list" "my_client_list" {
name = "my_client_list"
type = "ASN"
notes = "Client list creation"
tags = ["tag1", "tag2", "tag3"]
contract_id = "12345"
group_id = 12345
items {
value = "1"
description = "Item one"
tags = ["tag1", "tag2"]
expiration_date = "2023-09-06T15:58:39.225+00:00"
}
items {
value = "2"
description = "Item two"
tags = ["tag2", "tag3"]
expiration_date = ""
}
items {
value = "3"
description = "Item three"
tags = ["tag1"]
expiration_date = ""
}
}
There's no standard output for this resource, but returned in the last line of the apply log is the client list ID.
2. Activate your client list
Use your client list ID to activate your client list on either the STAGING or PRODUCTION network.
resource "akamai_clientlist_activation" "my_activation" {
list_id = "123456_MYCLIENTLIST"
version = 1
network = "STAGING"
comments = "My activation comments"
notification_recipients = ["jsmith@example.com"]
}
3. Use your client list
To add your client list to your security configuration, include your client list's name or ID in one of these services as an allowlist or blocklist.
All of the changes here require a new version and reactivation of your AppSec configuration.
IP/GEO firewall
Use the respective client list ID in the geo_network_lists, ip_network_lists, and/or exception_ip_network_lists arguments of the IP/GEO resource.
resource "akamai_appsec_ip_geo" "my_ip_geo_lists" {
config_id = 12345
security_policy_id = "12345"
mode = "block"
geo_network_lists = ["12345_GEO_LIST"]
ip_network_lists = ["12345_IP_LIST"]
exception_ip_network_lists = ["98765_EXCEPTION_LIST"]
}
Match Targets
-
Place a
bypassNetworkListsobject in yourmatch_targets.jsonfile with the name and ID of your client list.{ "bypassNetworkLists": { "id": "12345_MYCLIENTLIST", "name": "my_client_list" } } -
Point the value of
match_targetto your updated JSON file.Uses the match target resource.
resource "akamai_appsec_match_target" "my_match_target" { config_id = 12345 match_target = file("${path.module}/match_targets.json") }
Pragma Headers
-
In an
excludeConditionarray, add your your client list's ID in thevalueproperty of yourpragma_header.jsonfile.{ "excludeCondition": [ { "positiveMatch": true, "type": "networkList", "useHeaders": false, "value": [ "12345_MYCLIENTLIST" ] } ] }excludeCondition: positiveMatch: The match condition for a policy's trigger. True or false. type: The condition's category. Client lists uses networkList. useHeaders: Whether the condition should include the X-Forwarded-For header. value: A list of match items. Use your client list's ID. -
Point the value of
pragma_headerto your updated JSON file.Uses the pragma header resource.
resource "akamai_appsec_advanced_settings_pragma_header" "my_pragma_header" { config_id = 12345 security_policy_id = "gms1_12345" pragma_header = file("${path.module}/pragma_header.json") }
Client Reputation
-
Add your client list's ID to the
valueproperty of theatomicConditionsarray in yourreputation_profile.jsonfile.{ "condition": { "atomicConditions": [ { "checkIps": "connecting", "className": "NetworkListCondition", "index": 1, "positiveMatch": true, "value": [ "12345_MYCLIENTLIST" ] } ], "positiveMatch": true } }condition: atomicConditions: The conditions that trigger the rate policy. checkIps: The part of the request that determines the IP address to use. Use connecting for connecting IP addresses or or xff_headers for the X_Forwarded_For header. className: The type of condition. Client lists uses NetworkListCondition. index: positiveMatch: The match condition for a policy's trigger. True or false. value: A list of match items. Use your client list's ID. positiveMatch: The match condition for a policy's trigger. True or false. -
Point the value of
reputation_profileto your updated JSON file.Uses the reputation profile resource.
resource "akamai_appsec_reputation_profile" "my_reputation_profile" { config_id = 12345 reputation_profile = file("${path.module}/reputation_profile.json") }
Rate Policies
-
Use the
additionalMatchOptionsarray with your client list's ID in thevaluesproperty to add a network list condition to yourrate_policies.jsonfile.{ "additionalMatchOptions": [ { "positiveMatch": true, "type": "NetworkListCondition", "values": [ "12345_MYCLIENTLIST" ] } ] }additionalMatchOptions: positiveMatch: The match condition for a policy's trigger. True or false. type: The option's category. Client lists uses NetworkListCondition. values: A list of match items. Use your client list's ID. -
Point the value of
rate_policyto your updated JSON file.Uses the rate policy resource.
resource "akamai_appsec_rate_policy" "my_rate_policy" { config_id = 12345 rate_policy = file("${path.module}/rate_policy.json") }
Updated about 1 year ago