Client Restrictions

Client Restrictions in Proxylity are the rules that determine which sources of IP traffic should be allowed by your Listener(s). They act as a firewall between the internet at large and your Destinations, and are crucial for preventing abuse and unauthorized access to your services.

Choose the restriction method that best fits your use case:

CIDR blocks - Best for static IP ranges
Domain names - For access from clients with dynamic IPs but stable hostnames
Client Policy Records - Perfect for complex, dynamic IP access control managed via DNS

Proxylity UDP Gateway supports the following types of Client Restrictions:

Allowed IP Addresses and CIDRs
Allowed Domain Names (Reverse IP lookup)
Client Policy Records in DNS
Choosing the Right Method

Choosing the Right Method

Each restriction method has its strengths. Here's a quick comparison to help you choose:

Method	Best For	Complexity	Flexibility
CIDR Blocks	Static networks, simple setups	Low	Low
Domain Names	Dynamic IPs with stable hostnames	Medium	Medium
CPF Records	Complex policies, team delegation	High	High

Pro tip: You can combine multiple restriction methods. Proxylity will allow traffic if any of the configured restrictions permit it.

Allowed IP Addresses and CIDRs

CIDR (Classless Inter-Domain Routing) restrictions allow you to specify individual IP addresses or entire ranges using CIDR notation. This is the most straightforward method for controlling access when you know the specific IP addresses or ranges that should be allowed.

When to use:

Networks with static IP ranges such as a home or site gateway
Known partner organizations with fixed IP addresses
Development/testing environments with known client ranges (e.g. test labs)

Examples:

192.168.1.100 - Allow only this specific IP address
10.0.0.0/8 - Allow all private Class A addresses
203.0.113.0/24 - Allow a specific /24 subnet (256 addresses)

Allowed Domain Names

Domain-based restrictions allow you to permit traffic based on reverse DNS lookups rather than static IP addresses. When a request arrives, Proxylity performs a reverse lookup to determine the hostname associated with the source IP, then checks if that domain is on your allowed list.

When to use:

Cloud services with dynamic IP addresses (AWS, Google Cloud, etc.)
CDN endpoints that may change IPs frequently
Partner services where you trust the domain but IPs change

Important considerations:

Requires proper reverse DNS (PTR records) to be configured
Slightly higher latency due to DNS lookups
Results are cached for performance (per DNS record TTLs)

Client Policy Records (CPF)

Client Policy Framework (CPF) is the most flexible and powerful restriction method. Similar to how SPF (Sender Policy Framework) works for email, CPF uses DNS TXT records to define which IP addresses are authorized to access your services. This allows you to manage access control through DNS without modifying Proxylity configuration.

When to use CPF:

Complex access policies that change frequently
Multi-organization environments where different teams manage different client IP ranges
Services that need to delegate authorization to third parties
Environments where DNS management is easier than infrastructure configuration

CPF Record Format

CPF records follow a simple, SPF-like syntax:

v=cpf1 [mechanism1] [mechanism2] ...

Important syntax notes:

All mechanisms (except all) require a value after a colon (:)
Only + (pass) and - (fail) qualifiers are effectively supported
Mechanism names are case-insensitive
Modifiers are parsed but not implemented in policy evaluation

Supported Mechanisms

Mechanism	Description	Example
`ip4`	IPv4 address or CIDR block	`ip4:192.168.1.0/24`
`ip6`	IPv6 address or CIDR block	`ip6:2001:db8::/32`
`a`	Allow IPs that resolve to this domain's A records	`a:example.com`
`include`	Include another domain's CPF policy	`include:partners.com`
`exists`	Allow if DNS A record exists for {ip}.domain	`exists:allowlist.example.com`
`all`	Catch-all (use with qualifiers)	`-all` (deny everything else)

Qualifiers

Each mechanism can be prefixed with a qualifier to specify the action:

+ (or no prefix) - Pass: Allow the IP
- - Fail: Deny the IP

Note: The current implementation only distinguishes between Pass (+) and all other qualifiers. Qualifiers ~ (SoftFail) and ? (Neutral) are parsed but treated the same as - (Fail).

Modifiers (Not Currently Implemented)

While the CPF parser can recognize exp and redirect modifiers, these are not currently implemented in the policy evaluation logic. They will be parsed without error but have no effect on access decisions.

Example CPF Records

Basic example - Allow specific IPs and deny all others:

v=cpf1 ip4:203.0.113.0/24 ip4:198.51.100.10 -all

Corporate network with partner inclusion:

v=cpf1 ip4:10.0.0.0/8 include:partners.example.com a:vpn.mycompany.com -all

Dynamic allowlist using exists mechanism:

v=cpf1 exists:approved.mycompany.com -all

This allows any IP if a DNS A record exists for {ip}.approved.mycompany.com

Setting Up CPF Records with AWS Route 53

Here are example AWS CLI commands to create CPF records in Route 53:

1. Create a basic CPF record

aws route53 change-resource-record-sets --hosted-zone-id Z1234567890ABC --change-batch '{
  "Changes": [{
    "Action": "CREATE",
    "ResourceRecordSet": {
      "Name": "myservice.example.com",
      "Type": "TXT",
      "TTL": 300,
      "ResourceRecords": [{
        "Value": "\"v=cpf1 ip4:203.0.113.0/24 ip4:198.51.100.10 -all\""
      }]
    }
  }]
}'

2. Create a CPF record with partner inclusion

aws route53 change-resource-record-sets --hosted-zone-id Z1234567890ABC --change-batch '{
  "Changes": [{
    "Action": "UPSERT",
    "ResourceRecordSet": {
      "Name": "api.mycompany.com",
      "Type": "TXT",
      "TTL": 300,
      "ResourceRecords": [{
        "Value": "\"v=cpf1 ip4:10.0.0.0/8 include:partners.example.com a:vpn.mycompany.com -all\""
      }]
    }
  }]
}'

3. Update an existing CPF record

aws route53 change-resource-record-sets --hosted-zone-id Z1234567890ABC --change-batch '{
  "Changes": [{
    "Action": "UPSERT",
    "ResourceRecordSet": {
      "Name": "gateway.example.com",
      "Type": "TXT", 
      "TTL": 300,
      "ResourceRecords": [{
        "Value": "\"v=cpf1 exists:approved.mycompany.com ip4:192.168.0.0/16 -all\""
      }]
    }
  }]
}'

Testing Your CPF Records

You can verify your CPF records are properly configured using standard DNS tools:

# Using dig
dig TXT myservice.example.com

# Using nslookup
nslookup -type=TXT myservice.example.com

# Using PowerShell (Windows)
Resolve-DnsName -Name myservice.example.com -Type TXT

Implementation Notes

Based on the current ClientPolicyLibrary implementation:

DNS Caching: DNS lookups are cached with a minimum 30-second TTL for performance
IP Network Parsing: Uses IPNetwork2 library for CIDR block validation
Error Handling: Malformed records throw parsing exceptions
Case Sensitivity: Mechanism names are parsed case-insensitively
Value Requirements: All mechanisms except all must have values

Best Practices

Always end with -all to explicitly deny unlisted sources
Keep TTL values reasonable (300-3600 seconds) to balance performance and flexibility
Test changes in staging before applying to production services
Use include mechanisms to delegate parts of your policy to other domains
Monitor DNS query logs to understand how your policies are being evaluated
Document your CPF policies and maintain them as part of your infrastructure as code

Troubleshooting

Common issues and solutions:

Record not found: Verify DNS propagation and check for typos in domain names
Syntax errors: Ensure proper spacing and mechanism formatting
Include loops: Avoid circular references between included domains
DNS timeout: Check that included domains are responsive and have valid CPF records
Missing colons: All mechanisms except all require a colon and value
Parsing failures: Verify proper qualifier syntax (+ or -)

Known Limitations:

Only + (pass) and - (fail) qualifiers are functionally supported
~ (SoftFail) and ? (Neutral) are parsed but treated as - (fail)
Modifiers (exp, redirect) are parsed but not implemented
DNS resolution errors in a and exists mechanisms may cause policy failures
No macro expansion support (unlike full SPF)