Mutexer

Appearance

Rule Evaluation

Overview

When a request arrives at a Horizon circuit's public domain, it passes through a series of security layers before being forwarded to the backend service. Each layer evaluates the request independently and can block it. Understanding the order in which these layers are evaluated is essential for correct configuration and for diagnosing why a particular request was allowed or blocked.

Security Layer Evaluation Order

The Horizon proxy evaluates security layers in the following order. A request must pass every layer to be forwarded to the backend service. If any layer blocks the request, subsequent layers are not evaluated.

  1. IP Blacklist - The source IP address is checked against all configured blacklist rules. If the IP matches any blacklist CIDR range, the request is immediately blocked. The allowlist is not consulted.

  2. IP Allowlist - If allowlist rules are configured on the circuit, the source IP must match at least one allowlist CIDR range. If allowlist rules exist and the source IP does not match any of them, the request is blocked. If no allowlist rules are configured, this step is skipped.

  3. Country Blocking - The source IP is geolocated to a country. If the resolved country matches any entry on the circuit's country block list, the request is blocked.

  4. Bot & Scanner Detection - If bot and scanner blocking is enabled on the circuit, the request's User-Agent header is compared against known vulnerability scanner signatures. If a match is found, the request is blocked.

  5. Access Policy - The circuit's access policy tier (Public, Project Members, or Specific Users) is enforced. For Public circuits, this step is a pass-through. For Project Members circuits, the requester must be authenticated and a member of the project. For Specific Users circuits, the requester must additionally appear on the circuit's allowlist.

IP Rule Interaction

When both blacklist and allowlist rules are configured on a circuit, the interaction between them follows a strict precedence model:

  • The blacklist is evaluated first and acts as an unconditional deny. If a source IP matches any blacklist rule, the request is blocked regardless of whether that IP also appears in an allowlist rule. The blacklist cannot be overridden by the allowlist.

  • The allowlist is evaluated second, only if the request was not already blocked by the blacklist. When allowlist rules exist, the source IP must match at least one allowlist entry to proceed. If no allowlist rules are configured, this check is skipped entirely and all non-blacklisted IPs are permitted to the next layer.

  • In practice, for a request to pass the IP filtering layer when both rule types are configured, the source IP must not appear in any blacklist rule and must appear in at least one allowlist rule.

WARNING

If an IP address is present in both the blacklist and the allowlist, the blacklist takes precedence and the request is blocked. Always review both rule sets when troubleshooting unexpected blocks.

Blocked Request Logging

When a request is blocked by any security layer, it is recorded in the circuit's request logs with the action marked as Blocked and a reason indicating which layer denied the request. This information is visible in the expanded detail view of the request log entry and is useful for diagnosing misconfigured rules or identifying attack patterns.

Example Scenarios

Scenario 1: Blacklist only A circuit has a single blacklist rule: 203.0.113.0/24. Requests from IPs in that range are blocked. All other IPs proceed to the next security layer.

Scenario 2: Allowlist only A circuit has a single allowlist rule: 198.51.100.0/24. Only requests from IPs in that range are permitted. All other IPs are blocked at the IP filtering layer, regardless of their country or identity.

Scenario 3: Both blacklist and allowlist A circuit has a blacklist rule for 198.51.100.50/32 and an allowlist rule for 198.51.100.0/24. A request from 198.51.100.50 is blocked by the blacklist, even though it falls within the allowlist range. A request from 198.51.100.10 passes the blacklist (no match), passes the allowlist (matches), and proceeds to the next layer.

Scenario 4: No IP rules A circuit has no blacklist or allowlist rules configured. The IP filtering layer is effectively inactive, and all requests proceed directly to country blocking.

Copyright © 2024 Mutexer Pty Ltd