At the moment, when you deploy an application to the Pivotal Web Services, the application is accessible to anyone on the Internet.The PWS platform does not provide any access restriction mechanisms. Thus, to restrict the access to the application, do it in the application itself.

Some languages, runtimes, and frameworks offer support to the white or blacklist IP addresses, like Spring Security. For languages or runtimes with no automatic support, implement the similar behavior with the "middleware", "interceptor", or "filter". These are used to inspect incoming requests and apply the logic that runs prior to the request reaching the application. The injected logic needs to look at the client's IP address and determine if it is acceptable. The client's IP address can be found in the X-FORWARDED-BY header, but some buildpacks like the Java buildpack and the PHP buildpack modify the headers and expose this information through a language specific feature like Java's Servlet API or PHP's $_SERVER.

Risks

While rejecting certain requests based on the client's IP address can be effective, it should generally be used in conjunction with other forms of security, like a user authentication and authorization system.

For applications that run in a container or on the web server, it is possible to instruct the server to reject connections from certain IP addresses. 

Example

Apache Tomcat

Edit the WEB-INF/web.xml file in the application. Add the following:

<filter>
      <filter-name>Remote Address Filter</filter-name>
      <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
      <init-param>
        <param-name>allow</param-name>
        <param-value><!-- insert your ip list / regex here --></param-value>
      </init-param>
    </filter>
    <filter-mapping>
      <filter-name>Remote Address Filter</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>

This instructs the filter to block all IP addresses except the ones included. The filter supports blocking only the IP addresses listed. More information on the filter can be found here.

Spring Boot

For Spring Boot applications that run with the embedded Apache Tomcat container, which is the default behavior, use the same filter described in the Apache Tomcat section above. It is configured in the code instead of XML. The Spring Boot document explains how to enable a Servlet Filter.  Use the instructions in the document to enable the RemoteAddrFilter.

Apache HTTPD and PHP

If there is a PHP application that is running behind the Apache HTTPD, the default for the PHP buildpack, use the Apache HTTPD to restrict access to the application. The easiest way to do this is to include a .htaccess file with the application. The buildpack configures Apache HTTPD to look for these files. Here is an example that would restrict access to the folder where it's placed:

Require ip 23.28.250.16

More details on the syntax of this can be found in the Apache HTTPD document.

Nginx and PHP

If a PHP application is running behind Nginx, supported by the PHP buildpack, use Nginx to restrict access to the application. Do this by creating the file .bp-config/nginx/http-defaults.conf at the root of the application. This overrides the buildpack's default configuration. Apply the additional IP based restrictions:

# default configuration from the build pack
    include            mime.types;
    default_type       application/octet-stream;
    sendfile           on;
    keepalive_timeout  65;
    gzip               on;
    port_in_redirect   off;
    root               @{HOME}/#{WEBDIR};
    index              index.php index.html;
    server_tokens      off;

    # additional configuration to restrict by ip address (checked in order)
    allow <ip-to-allow>;    
    deny all;

More details on how Nginx restricts IP addresses can be found here.

Nginx and Static Files

The static file buildpack uses Nginx to serve up files. Use the Nginx's ability to restrict IP addresses with this buildpack. The syntax is the same, but the buildpack has a different way of configuring Nginx. See the buildpack document for more details on that.