How-to guide

Restrict ingress to known source IPs

When you know exactly which network a producer comes from — a partner's static egress, a government API's published range — you can refuse everything else at the door. Queuey's per-queue source-IP allowlist is a network gate evaluated before authentication.

Configure the allowlist

On the queue's ingress settings, add CIDR ranges or bare IPs (a bare address is treated as a /32 or /128). IPv4 and IPv6 are both supported:

ipAllowlistCidrs
[
  "203.0.113.0/24",
  "198.51.100.7",
  "2001:db8::/32"
]
  • Empty / unset = open — the queue accepts any source IP (backward-compatible). The gate only bites once you list ranges.
  • Resolved tenant → queue: a queue-level list replaces the tenant default, it does not union with it.

What a blocked request sees

A request whose client IP is outside every range is refused before any auth or crypto runs:

Response
HTTP/1.1 403 Forbidden
Content-Type: application/json

{ "error": "ip_not_allowed" }
Matches the real client IP — not a spoofable header
The allowlist matches the connection's real client IP (RemoteIpAddress). Queuey deliberately does not trust a client-supplied X-Forwarded-For header, so a forged header cannot move the matched IP or bypass the allowlist.

Related