Networking

Filtering traffic to your application

Overview

By default, all traffic is allowed to visit your web servers on ports 80, 443, 8080 and 8443. Traffic filtering caters for six exceptions to this:

  1. Explicitly allowing only certain IP addresses (whitelisting)
  2. Explicitly allowing traffic only from certain countries
  3. Explicitly denying certain IP addresses (blacklisting)
  4. Explicitly denying traffic from certain countries (blacklisting)
  5. Forcing traffic to flow via your load balancer(s) rather than hitting servers directly
  6. Blocking (or allowing) direct traffic via your app's default *.c66.me domain

Cloud 66 also automatically rate limits IP addresses and will temporarily block an address that hits your application too often. Please read our Application Surge Protection guide for more details.

Configuring Traffic Filters

To configure traffic filters for your application:

Whitelisting vs Surge Protection

Whitelisting is not the same as removing Application Surge Protection. These are two separate lists with separate functions. A whitelisted IP could still be rate limited.

Allowing traffic (whitelisting)

Whitelisting is useful in cases where you need to lock down an application completely and only allow access for a specific IP (or range of IPs) or from specific countries.

To whitelist a list of IP addresses or IP address ranges, navigate to the Traffic Filters page (see above for instructions) and then add the IP address or range to the Only allow traffic from these sources field. Then click Review changes and then Apply changes.

IP addresses and ranges can be entered as comma separated lists. For example:

23.213.76.19
23.213.76.1/16
23.213.76.19,31.152.18.22,197.222.132.0/24

You can also add lists of addresses via URLs. The URL must point to either a txt or JSON formatted document. See our reference guide for more details.

Allowing traffic by country

To whitelist a country or set of countries, navigate to the Traffic Filters page (see above for instructions) and then select (or search) for the countries you wish to white list in the Only allow traffic from these Countries field. Then click Review changes and then Apply changes.

Denying traffic (blacklisting)

You can also blacklist specific IPs and/or ranges from visiting the ports mentioned above. To do so, navigate to the Traffic Filters page (see above for instructions) and then add the IP address or range to the Block traffic from these sources field. Then click Review changes and then Apply changes.

You can test this by adding your own IP address to the Deny list and then trying to visit your application in the browser. If you've configured this correctly you will get a 403 Forbidden error from your app's Nginx proxy.

As above, you can enter IP addresses in comma separated lists, as ranges, or a combination. You can also add lists of addresses via URLs. The URL must point to either a txt or JSON formatted document. See our reference guide for more details.

Denying traffic by country

Works identically to whitelisting by countries above, except that it uses the Block traffic from these Countries field.

Control direct web traffic to default domains

We automatically provision (unique) default (sub)domains for every application under c66.me. You can control whether this domain is directly reachable or not (it is reachable by default).

To control direct access to this domain:

Access options

By default web traffic is allowed, which can result in SEO penalties if search engines have found and indexed this domain.

Blocking direct traffic will return a 404 to visitors to that domain, and display custom error page you have configured.

You can redirect any visits to another domain but the target domain needs a valid SSL certificate in order to enable this option.

Previous
Using Traffic Rules To Route Traffic
Next
Container Service Networking