IP-based Access Control Using Edge Functions in Launch

This guide explains how to implement IP-based access control using Edge Functions in Contentstack Launch. This feature helps you restrict or allow traffic to your site’s origin only from specific IP ranges, such as internal networks or trusted CDN providers.

Implementing IP Filtering with Edge Functions

In many enterprise scenarios, you may want to restrict access to your Launch-hosted site so that only specific IP addresses (e.g., from your CDN provider like Akamai) can reach the origin server. This can be achieved by implementing IP Allowlisting or Restricting using Edge Functions.

With Contentstack Launch, you can set up IP-based access rules using custom logic deployed at the edge (Edge Functions), enabling real-time filtering before the request hits your origin.

Common Use Cases for IP-based Access Control

Restrict access to origin servers only to requests from a particular CDN.
Block specific malicious or unwanted IP addresses from accessing your site.
Allow internal teams (based on corporate IPs) to preview restricted environments.

Additional Resource: Refer to the Edge Functions Guide to set up an edge function in your Launch application to add the custom logic for IP access control.

IP Allowlisting: Permit Traffic from Trusted IPs

Only allow traffic from a predefined list of IP addresses.
You can achieve IP allowlisting through Launch Edge Functions as follows:

export default async function handler(request) {
  const allowedIPs = [
    // Add trusted IPs here
  ]; 

  const clientIP = request.headers.get("x-forwarded-for") || "";
  const clientIPList = clientIP.split(",").map(ip => ip.trim()); 

  const allowed = clientIPList.some(ip => allowedIPs.includes(ip));
 //your custom logic

  if (!allowed) {
    return new Response("Forbidden. Your IP is not allowed.", { status: 403 });
  }
  return fetch(request);
}

Additional Resource:

Refer to the Launch Edge IP Allowlist Example for a quick understanding.
Learn more about x-forwarded-for.

IP Restricting: Deny Access from Blocked IPs

Deny traffic from a specific set of IP addresses.

export default async function handler(request) {
  const blockedIPs = [
    // Add restricted IPs here
  ]; 
  const clientIP = request.headers.get("x-forwarded-for") || "";
  const clientIPList = clientIP.split(",").map(ip => ip.trim()); 
  const blocked = clientIPList.some(ip => blockedIPs.includes(ip));
  if (blocked) {
    return new Response("Forbidden. Your IP has been restricted.", { status: 403 });
  }
  return fetch(request);
}

Additional Resource: Refer to the Launch Edge Restrict IP Example for a quick understanding.

IP-based Access Control Using Edge Functions in Launch

Implementing IP Filtering with Edge Functions

Common Use Cases for IP-based Access Control

IP Allowlisting: Permit Traffic from Trusted IPs

IP Restricting: Deny Access from Blocked IPs

Add API Endpoints to a Website in Launch

Deploy a Project from a Monorepo on Launch

Disable Automatic Redeployment

Host a Static Site on Launch

Redeploy Automatically when Content is Published on CMS

Setup Production and Non-Production Environment

Auto-populate Environment Variables from a Linked Stack

Repair GitHub Connection for Projects

Repair Git Provider Connection for Projects

Host any SSR Framework on Launch

Trigger Deployments on Launch Platform based on Tags/Releases

Caching Guide for Contentstack Launch

Handling Next.js RSC Issues on Launch

Blocking AI Crawlers

Can I Run a Docker Container on Launch?