How-to guide
Restrict ingress to known source IPs
When you know exactly which network a producer comes from — a partner's static egress, a government API's published range — you can refuse everything else at the door. Queuey's per-queue source-IP allowlist is a network gate evaluated before authentication.
Configure the allowlist
On the queue's ingress settings, add CIDR ranges or bare IPs (a bare address is treated as a /32 or /128). IPv4 and IPv6 are both supported:
[
"203.0.113.0/24",
"198.51.100.7",
"2001:db8::/32"
]- Empty / unset = open — the queue accepts any source IP (backward-compatible). The gate only bites once you list ranges.
- Resolved tenant → queue: a queue-level list replaces the tenant default, it does not union with it.
What a blocked request sees
A request whose client IP is outside every range is refused before any auth or crypto runs:
HTTP/1.1 403 Forbidden
Content-Type: application/json
{ "error": "ip_not_allowed" }Matches the real client IP — not a spoofable header
The allowlist matches the connection's real client IP (
RemoteIpAddress). Queuey deliberately does not trust a client-supplied X-Forwarded-For header, so a forged header cannot move the matched IP or bypass the allowlist.Related
- OAuth2 & private_key_jwt — combine a network gate with strong delivery auth.
- Core concepts — where ingress sits in the pipeline.