@@ -893,6 +893,14 @@ prevent any direct access to these resources from a web browser (by guessing the |
893 | 893 | ESI URL pattern), the ESI route **must** be secured to be only visible from |
894 | 894 | the trusted reverse proxy cache. |
895 | 895 |
|
| 896 | +.. caution:: |
| 897 | + |
| 898 | +As you'll read in the explanation below the example, the ``ip`` option |
| 899 | +does not restrict to a specific IP address. Instead, using the ``ip`` |
| 900 | +key means that the ``access_control`` entry will only match this IP address, |
| 901 | +and users accessing it from a different IP address will continue down |
| 902 | +the ``acces_control`` list. |
| 903 | + |
896 | 904 | Here is an example of how you might secure all ESI routes that start with a |
897 | 905 | given prefix, ``/esi``, from outside access: |
898 | 906 |
|
@@ -951,11 +959,13 @@ Now, if the same request comes from ``127.0.0.1``: |
951 | 959 |
|
952 | 960 | .. _book-security-securing-channel: |
953 | 961 |
|
954 | | -Securing by Channel |
955 | | -~~~~~~~~~~~~~~~~~~~ |
| 962 | +Forcing a Channel (http, https) |
| 963 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
956 | 964 |
|
957 | 965 | You can also require a user to access a URL via SSL; just use the |
958 | | -``requires_channel`` argument in any ``access_control`` entries: |
| 966 | +``requires_channel`` argument in any ``access_control`` entries. If this |
| 967 | +``access_control`` is matched and the request is using the ``http`` channel, |
| 968 | +the user will be redirected to ``https``: |
959 | 969 |
|
960 | 970 | .. configuration-block:: |
961 | 971 |
|
|
0 commit comments