Access Control Reference
Access control configuration for the forward proxy.
Controls which clients may connect to the proxy and which upstream destinations they may reach. Deny rules are always evaluated before allow rules at every level (hosts, ports).
When all listings are empty and defaultDeny is false (the defaults),
the proxy is fully open — any client can reach any destination. For
production deployments, set allowClients and consider enabling
defaultDeny.
> This page is auto-generated from the PKL schema. See the guide for usage examples.
AccessControl
Network-level access control for proxy clients and upstream destinations.
Evaluation order for destinations: 1.denyHosts / denyPorts — checked first; matching requests are rejected
2. allowHosts / allowPorts — checked second if defaultDeny is true
3. defaultDeny — determines whether unlisted destinations are allowed or denied
| Field | Type | Default | Description |
|---|---|---|---|
allowClients | Listing | (empty) | Client IP addresses or CIDR ranges permitted to connect to the proxy. |
maxConnectionsPerClient | UInt | 0 | Maximum number of concurrent connections from a single client IP |
allowHosts | Listing | (empty) | Destination hostnames or patterns that clients are permitted to reach. |
denyHosts | Listing | (empty) | Destination hostnames or patterns that are always denied, regardless |
defaultDeny | Boolean | false | Controls the policy for destinations not explicitly listed. When true, |
allowPorts | Listing | (empty) | Destination ports that clients are permitted to reach. An empty listing |
denyPorts | Listing | (empty) | Destination ports that are always denied, regardless of allowPorts. |
allowClients
Client IP addresses or CIDR ranges permitted to connect to the proxy.
An empty listing permits all clients (open proxy). When non-empty,
connections from unlisted addresses are rejected with 403 Forbidden.
Both IPv4 and IPv6 addresses and ranges are supported.
allowClients { "127.0.0.1/8"; "10.0.0.0/8"; "::1" }maxConnectionsPerClient
Maximum number of concurrent connections from a single client IP
address. Limits apply independently per IP. 0 means unlimited.
Default: 0.
allowHosts
Destination hostnames or patterns that clients are permitted to reach.
Uses glob syntax (e.g., "*.example.com", "api.stripe.com").
An empty listing permits all destinations (subject to denyHosts and
defaultDeny). Only meaningful when defaultDeny is true.
denyHosts
Destination hostnames or patterns that are always denied, regardless
of allowHosts or defaultDeny. Evaluated before allow rules.
denyHosts { "*.malware.example"; "tracker.ads.net" }defaultDeny
Controls the policy for destinations not explicitly listed. When true,
any destination not matching allowHosts is denied. When false
(the default), unlisted destinations are allowed unless they match
denyHosts. Enable this for allowlist-only deployments.
allowPorts
Destination ports that clients are permitted to reach. An empty listing
permits all ports (subject to denyPorts). Only meaningful when there
are specific ports you want to restrict access to.
allowPorts { 80; 443; 8080 }denyPorts
Destination ports that are always denied, regardless of allowPorts.
Evaluated before allow rules. Useful for blocking non-HTTP ports.
denyPorts { 25; 465; 587 }---