Document ip_allow in sni.yaml

doc/admin-guide/files/sni.yaml.en.rst

@@ -47,11 +47,16 @@ the user needs to enter the fqdn in the configuration with a ``*.`` followed by
 .. _override-verify-server-properties:
 .. _override-host-sni-policy:
 
-========================= ==============================================================================
+========================= ========================================================================================
 Key                       Meaning
-========================= ==============================================================================
+========================= ========================================================================================
 fqdn                      Fully Qualified Domain Name. This item is used if the SNI value matches this.
 
+ip_allow                  Specify a list of client IP address, subnets, or ranges what are allowed to complete
+                          the connection. This list is comma separated. IPv4 and IPv6 addresses can be specified.
+                          Here is an example list: 192.168.1.0/24,192.168.10.1-4. This would allow connections
+                          from clients in the 19.168.1.0 network or in the range from 192.168.10.1 to 192.168.1.4.
+
 verify_server_policy      One of the values :code:`DISABLED`, :code:`PERMISSIVE`, or :code:`ENFORCED`.
 
                           By default this is :ts:cv:`proxy.config.ssl.client.verify.server.policy`.
@@ -76,18 +81,18 @@ verify_client             One of the values :code:`NONE`, :code:`MODERATE`, or :
 
 host_sni_policy           One of the values :code:`DISABLED`, :code:`PERMISSIVE`, or :code:`ENFORCED`.
 
-                          If not specified, the value of :ts:cv:`proxy.config.http.host_sni_policy` is used.  This controls
-                          how policy impacting mismatches between host header and SNI values are dealt with.
+                          If not specified, the value of :ts:cv:`proxy.config.http.host_sni_policy` is used.
+                          This controls how policy impacting mismatches between host header and SNI values are
+                          dealt with.
 
 valid_tls_versions_in     This specifies the list of TLS protocols that will be offered to user agents during
-                          the TLS negotiation.  This replaces the global settings in :ts:cv:`proxy.config.ssl.TLSv1`,
-                          :ts:cv:`proxy.config.ssl.TLSv1_1`, :ts:cv:`proxy.config.ssl.TLSv1_2`,
-                          and :ts:cv:`proxy.config.ssl.TLSv1_3`. The potential values are TLSv1, TLSv1_1, TLSv1_2, and
-                          TLSv1_3.  You must list all protocols that |TS| should offer to the client when using
-                          this key.  This key is only valid for openssl 1.1.0 and later. Older versions of openssl do not
-                          provide a hook early enough to update the SSL object.  It is a syntax error for |TS| built
-                          against earlier versions.
-
+                          the TLS negotiation.  This replaces the global settings in
+                          :ts:cv:`proxy.config.ssl.TLSv1`, :ts:cv:`proxy.config.ssl.TLSv1_1`,
+                          :ts:cv:`proxy.config.ssl.TLSv1_2`, and :ts:cv:`proxy.config.ssl.TLSv1_3`. The potential
+                          values are TLSv1, TLSv1_1, TLSv1_2, and TLSv1_3.  You must list all protocols that |TS|
+                          should offer to the client when using this key.  This key is only valid for openssl
+                          1.1.0 and later. Older versions of openssl do not provide a hook early enough to update
+                          the SSL object.  It is a syntax error for |TS| built against earlier versions.
 
 client_cert               The file containing the client certificate to use for the outbound connection.
 
@@ -110,8 +115,8 @@ disable_h2                Deprecated for the more general h2 setting.  Setting d
                           to :code:`true` is the same as setting http2 to :code:`on`.
 
 tunnel_route              Destination as an FQDN and port, separated by a colon ``:``.
-                          Match group number can be specified by ``$N`` where N should refer to a specified group in
-                          the FQDN, ``tunnel_route: $1.domain``.
+                          Match group number can be specified by ``$N`` where N should refer to a specified group
+                          in the FQDN, ``tunnel_route: $1.domain``.
 
                           This will forward all traffic to the specified destination without first terminating
                           the incoming TLS connection.
@@ -124,11 +129,11 @@ forward_route             Destination as an FQDN and port, separated by a colon
 
 partial_blind_route       Destination as an FQDN and port, separated by a colon ``:``.
 
-                          This is similar to forward_route in that |TS| terminates the incoming TLS connection. In
-                          addition partial_blind_route creates a new TLS connection to the specified origin. It does
-                          not interpret the decrypted data before passing it to the origin TLS connection, so
-                          the contents do not need to be HTTP.
-========================= ==============================================================================
+                          This is similar to forward_route in that |TS| terminates the incoming TLS connection.
+                          In addition partial_blind_route creates a new TLS connection to the specified origin.
+                          It does not interpret the decrypted data before passing it to the origin TLS
+                          connection, so the contents do not need to be HTTP.
+========================= ========================================================================================
 
 Client verification, via ``verify_client``, corresponds to setting
 :ts:cv:`proxy.config.ssl.client.certification_level` for this connection as noted below.