From 03a5a09f0e203b8e71d5577b62dcd8102bb23a68 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Brunat?=
 <sebastien.brunat@clever-cloud.com>
Date: Thu, 27 Mar 2025 13:18:05 +0100
Subject: [PATCH] add section about IP blocking

---
 content/doc/addons/otoroshi.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/content/doc/addons/otoroshi.md b/content/doc/addons/otoroshi.md
index 48f9b00f2..8839e6b2c 100644
--- a/content/doc/addons/otoroshi.md
+++ b/content/doc/addons/otoroshi.md
@@ -107,6 +107,22 @@ The integration provides advanced security capabilities through OWASP CRS implem
 ### Enterprise Capabilities
 Designed for production environments, the Coraza WAF plugin offers flexible configuration options, supporting both detection and prevention modes. It enables customized rule sets per domain and provides detailed security event tracking through Otoroshi's event management system. The implementation is optimized for minimal performance impact while maintaining robust security controls.
 
+### Block single IPs
+
+To block a single IP, you don't need Coraza WAF. In the "routes" section, choose the route you want to protect and then you should be able to add the plugin "IP Block list" and block one or several IPs.
+
+Coraza is able to block IPs (or CIDR) too but you need to add customs rules based on "X-Forwarded-For" header such as:
+
+```coraza
+SecRule REQUEST_HEADERS:X-Forwarded-For "@ipMatch 82.0.0.0/8" \
+    "id:100006,\
+    phase:1,\
+    drop,\
+    status:503,\
+    log,\
+    msg:'Forbidden IP range detected in Forwarded header'"
+```
+
 - [Otoroshi Coraza WAF documentation](https://maif.github.io/otoroshi/manual/how-to-s/instantiate-waf-coraza.html)
 
 ## Manage Otoroshi from its API