Allow access based on either a IP address or a specific authentication key in the header


Kong offers two plugins that allow us to restrict IP addresses and add authentication(key-auth). However, I need to authenticate clients only if they are not from specific IP addresses, similar to the satisfy any directive in Nginx. Is there a way to achieve this functionality without writing a custom plugin?

This may be a bit of a hack, but perhaps you could use the pre-function plugin (yes, it’s writing Lua code but without the heavy lifting of adding a custom plugin to your Kong deployment) to check the source IP address. If it’s one of the always-allowed addresses, then add an API key header that is reserved for these clients and that will pass the key-auth plugin check. Any requests from other clients will have to pass key-auth with their own keys.

Hi there @guoard

Auth plugins always run first. If you are using enterprise version, there is a feature called dynamic ordering to reorder the plugin execution. Details can be found here Implementing Custom Logic - Kong Gateway | Kong Docs

If using OSS, the priority can be changed to allow IP Restriction to run first. You can do this by editing handler.lua. Priority of IPRestriction is 990 and KeyAuth is 1250. You can change
IPRestriction plugin priority to 1300 and restart. It should run IPRestriction first allowing you to authenticate only requests from desired IP Address

local KeyAuthHandler = {
VERSION = kong_meta.version,
PRIORITY = 1250,

make IpRestriction something like

local IpRestrictionHandler = {
PRIORITY = 1300,
VERSION = kong_meta.version,

Let us know if this helps.


Thank you @Veena_Rajarathna for your answer.

It should run IPRestriction first allowing you to authenticate only requests from desired IP Address

This doesn’t meet my requirements!

I want to restrict access to either specific IP addresses or requests with key authentication. If a client is not from the specified IP addresses, the request must include key-auth.

@shawnc1959-8451 suggested using the pre-function plugin, which seems to work for us, but I prefer not to get involved with writing Lua scripts.