The global policy is a single policy evaluated for every proxied request, before any route-specific policy. It is the place to enforce infrastructure-wide rules — for example, blocking a set of abusive IPs across the whole proxy, or restricting the entire surface to a corporate network.
Enabling it
The global policy is opt-in. Set EnableGlobalPolicy to true and make sure a policy exists whose PolicyName matches GlobalPolicyName (default "Global"):
{
"IPFilterConfiguration": {
"EnableGlobalPolicy": true,
"GlobalPolicyName": "Global",
"Policies": [
{
"PolicyName": "Global",
"Mode": "BlockList",
"IPAddresses": ["198.51.100.23", "198.51.100.24"]
}
]
}
}
The example above blocks two specific IPs from reaching any route, while letting everything else through.
If
EnableGlobalPolicyistruebut no policy matchesGlobalPolicyName, the provider throws when it loads (at startup and on every configuration reload): "Could not find Global Policy. Double check configuration or disable the global policy feature." Either add the matching policy or setEnableGlobalPolicyback tofalse.
Evaluation order
The middleware evaluates policies in this order:
- Global policy — if enabled and the client IP is not allowed by it, the request is blocked with
403 Forbidden immediately (event RequestBlockedGlobal). No route-specific policy runs.
- Route-specific policy — if the request survives the global policy, the route's
IPFilterPolicy metadata is resolved and evaluated.
A request must satisfy both the global policy and the route policy (if any) to reach the backend. The two are independent policies with independent modes — a common pattern is a BlockList global policy (a deny list applied everywhere) combined with AllowList route policies (tight allowlists on sensitive routes).
Choosing a mode
BlockListglobal policy — the usual choice. Block known-bad IPs everywhere; everything else falls through to
per-route rules.
AllowListglobal policy — locks the entire proxy down to a known set of clients (e.g. an office network).
Remember an allowlist blocks everyone not listed, so make sure every legitimate source is covered.
Disabled— leaves the global policy defined but inert; equivalent toEnableGlobalPolicy: falsefor that
policy, but keeps it available to switch on quickly.
Turning it off
Set EnableGlobalPolicy to false (the default). The provider clears the global policy and only route-specific policies apply. This can be toggled at runtime via configuration reload.