apache
diff --git a/‎docs/en/latest/plugins/ua-restriction.md‎
Lines changed: 344 additions & 6 deletions b/‎docs/en/latest/plugins/ua-restriction.md‎
Lines changed: 344 additions & 6 deletions
@@ -30,18 +30,21 @@ description: The ua-restriction Plugin restricts access to upstream resources us
   <link rel="canonical" href="https://docs.api7.ai/hub/ua-restriction" />
 </head>
 
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
 ## Description
 
 The `ua-restriction` Plugin supports restricting access to upstream resources through either configuring an allowlist or denylist of user agents. A common use case is to prevent web crawlers from overloading the upstream resources and causing service degradation.
 
 ## Attributes
 
-| Name           | Type          | Required | Default      | Valid values            | Description                                                                     |
-|----------------|---------------|----------|--------------|-------------------------|---------------------------------------------------------------------------------|
-| bypass_missing | boolean       | False    | false        |                         | If true, bypass the user agent restriction check when the `User-Agent` header is missing. |
-| allowlist      | array[string] | False    |              |                         | List of user agents to allow. Support regular expressions. At least one of the `allowlist` and `denylist` should be configured, but they cannot be configured at the same time.   |
-| denylist       | array[string] | False    |              |                         | List of user agents to deny. Support regular expressions. At least one of the `allowlist` and `denylist` should be configured, but they cannot be configured at the same time.   |
-| message        | string        | False    | "Not allowed" |  | Message returned when the user agent is denied access.    |
+| Name           | Type          | Required | Default       | Valid values   | Description                                                                                                                          |
+|----------------|---------------|----------|---------------|----------------|--------------------------------------------------------------------------------------------------------------------------------------|
+| bypass_missing | boolean       | False    | false         |                | If `true`, bypasses the UA restriction check when the `User-Agent` header is missing.                                                |
+| allowlist      | array[string] | False    |               |                | List of allowed user agents (supports regex). Exactly one of `allowlist` or `denylist` must be configured.                           |
+| denylist       | array[string] | False    |               |                | List of denied user agents (supports regex). Exactly one of `allowlist` or `denylist` must be configured.                            |
+| message        | string        | False    | "Not allowed" | [1, 1024] chars | Message returned to the client when the user agent is not allowed.                                                                   |
 
 ## Examples
 
@@ -61,6 +64,17 @@ admin_key=$(yq '.deployment.admin.admin_key[0].key' conf/config.yaml | sed 's/"/
 
 The following example demonstrates how you can configure the Plugin to fend off unwanted web crawlers and customize the rejection message.
 
+<Tabs
+groupId="api"
+defaultValue="admin-api"
+values={[
+{label: 'Admin API', value: 'admin-api'},
+{label: 'ADC', value: 'adc'},
+{label: 'Ingress Controller', value: 'aic'}
+]}>
+
+<TabItem value="admin-api">
+
 Create a Route and configure the Plugin to block specific crawlers from accessing resources with a customized message:
 
 ```shell
@@ -88,6 +102,164 @@ curl "http://127.0.0.1:9180/apisix/admin/routes" -X PUT \
   }'
 ```
 
+</TabItem>
+
+<TabItem value="adc">
+
+```yaml title="adc.yaml"
+services:
+  - name: ua-restriction-service
+    routes:
+      - name: ua-restriction-route
+        uris:
+          - /anything
+        plugins:
+          ua-restriction:
+            bypass_missing: false
+            denylist:
+              - "(Baiduspider)/(\\d+)\\.(\\d+)"
+              - "bad-bot-1"
+            message: "Access denied"
+    upstream:
+      type: roundrobin
+      nodes:
+        - host: httpbin.org
+          port: 80
+          weight: 1
+```
+
+Synchronize the configuration to the gateway:
+
+```shell
+adc sync -f adc.yaml
+```
+
+</TabItem>
+
+<TabItem value="aic">
+
+<Tabs
+groupId="k8s-api"
+defaultValue="gateway-api"
+values={[
+{label: 'Gateway API', value: 'gateway-api'},
+{label: 'APISIX Ingress Controller', value: 'apisix-ingress-controller'}
+]}>
+
+<TabItem value="gateway-api">
+
+```yaml title="ua-restriction-ic.yaml"
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: aic
+  name: httpbin-external-domain
+spec:
+  type: ExternalName
+  ports:
+    - port: 80
+  externalName: httpbin.org
+---
+apiVersion: apisix.apache.org/v1alpha1
+kind: PluginConfig
+metadata:
+  namespace: aic
+  name: ua-restriction-plugin-config
+spec:
+  plugins:
+    - name: ua-restriction
+      config:
+        bypass_missing: false
+        denylist:
+          - "(Baiduspider)/(\\d+)\\.(\\d+)"
+          - "bad-bot-1"
+        message: "Access denied"
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  namespace: aic
+  name: ua-restriction-route
+spec:
+  parentRefs:
+    - name: apisix
+  rules:
+    - matches:
+        - path:
+            type: Exact
+            value: /anything
+      filters:
+        - type: ExtensionRef
+          extensionRef:
+            group: apisix.apache.org
+            kind: PluginConfig
+            name: ua-restriction-plugin-config
+      backendRefs:
+        - name: httpbin-external-domain
+          port: 80
+```
+
+Apply the configuration to your cluster:
+
+```shell
+kubectl apply -f ua-restriction-ic.yaml
+```
+
+</TabItem>
+
+<TabItem value="apisix-ingress-controller">
+
+```yaml title="ua-restriction-ic.yaml"
+apiVersion: apisix.apache.org/v2
+kind: ApisixUpstream
+metadata:
+  namespace: aic
+  name: httpbin-external-domain
+spec:
+  ingressClassName: apisix
+  externalNodes:
+  - type: Domain
+    name: httpbin.org
+---
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+  namespace: aic
+  name: ua-restriction-route
+spec:
+  ingressClassName: apisix
+  http:
+    - name: ua-restriction-route
+      match:
+        paths:
+          - /anything
+      upstreams:
+      - name: httpbin-external-domain
+      plugins:
+      - name: ua-restriction
+        enable: true
+        config:
+          bypass_missing: false
+          denylist:
+            - "(Baiduspider)/(\\d+)\\.(\\d+)"
+            - "bad-bot-1"
+          message: "Access denied"
+```
+
+Apply the configuration to your cluster:
+
+```shell
+kubectl apply -f ua-restriction-ic.yaml
+```
+
+</TabItem>
+
+</Tabs>
+
+</TabItem>
+
+</Tabs>
+
 Send a request to the Route:
 
 ```shell
@@ -112,6 +284,17 @@ You should receive an `HTTP/1.1 403 Forbidden` response with the following messa
 
 The following example demonstrates how to configure the Plugin to allow requests of a specific user agent to bypass the UA restriction.
 
+<Tabs
+groupId="api"
+defaultValue="admin-api"
+values={[
+{label: 'Admin API', value: 'admin-api'},
+{label: 'ADC', value: 'adc'},
+{label: 'Ingress Controller', value: 'aic'}
+]}>
+
+<TabItem value="admin-api">
+
 Create a Route as such:
 
 ```shell
@@ -138,6 +321,161 @@ curl "http://127.0.0.1:9180/apisix/admin/routes" -X PUT \
   }'
 ```
 
+</TabItem>
+
+<TabItem value="adc">
+
+```yaml title="adc.yaml"
+services:
+  - name: ua-restriction-service
+    routes:
+      - name: ua-restriction-route
+        uris:
+          - /anything
+        plugins:
+          ua-restriction:
+            bypass_missing: true
+            allowlist:
+              - "good-bot-1"
+            message: "Access denied"
+    upstream:
+      type: roundrobin
+      nodes:
+        - host: httpbin.org
+          port: 80
+          weight: 1
+```
+
+Synchronize the configuration to the gateway:
+
+```shell
+adc sync -f adc.yaml
+```
+
+</TabItem>
+
+<TabItem value="aic">
+
+<Tabs
+groupId="k8s-api"
+defaultValue="gateway-api"
+values={[
+{label: 'Gateway API', value: 'gateway-api'},
+{label: 'APISIX Ingress Controller', value: 'apisix-ingress-controller'}
+]}>
+
+<TabItem value="gateway-api">
+
+```yaml title="ua-restriction-ic.yaml"
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: aic
+  name: httpbin-external-domain
+spec:
+  type: ExternalName
+  ports:
+    - port: 80
+  externalName: httpbin.org
+---
+apiVersion: apisix.apache.org/v1alpha1
+kind: PluginConfig
+metadata:
+  namespace: aic
+  name: ua-restriction-allowlist-plugin-config
+spec:
+  plugins:
+    - name: ua-restriction
+      config:
+        bypass_missing: true
+        allowlist:
+          - "good-bot-1"
+        message: "Access denied"
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  namespace: aic
+  name: ua-restriction-route
+spec:
+  parentRefs:
+    - name: apisix
+  rules:
+    - matches:
+        - path:
+            type: Exact
+            value: /anything
+      filters:
+        - type: ExtensionRef
+          extensionRef:
+            group: apisix.apache.org
+            kind: PluginConfig
+            name: ua-restriction-allowlist-plugin-config
+      backendRefs:
+        - name: httpbin-external-domain
+          port: 80
+```
+
+Apply the configuration to your cluster:
+
+```shell
+kubectl apply -f ua-restriction-ic.yaml
+```
+
+</TabItem>
+
+<TabItem value="apisix-ingress-controller">
+
+```yaml title="ua-restriction-ic.yaml"
+apiVersion: apisix.apache.org/v2
+kind: ApisixUpstream
+metadata:
+  namespace: aic
+  name: httpbin-external-domain
+spec:
+  ingressClassName: apisix
+  externalNodes:
+  - type: Domain
+    name: httpbin.org
+---
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+  namespace: aic
+  name: ua-restriction-route
+spec:
+  ingressClassName: apisix
+  http:
+    - name: ua-restriction-route
+      match:
+        paths:
+          - /anything
+      upstreams:
+      - name: httpbin-external-domain
+      plugins:
+      - name: ua-restriction
+        enable: true
+        config:
+          bypass_missing: true
+          allowlist:
+            - "good-bot-1"
+          message: "Access denied"
+```
+
+Apply the configuration to your cluster:
+
+```shell
+kubectl apply -f ua-restriction-ic.yaml
+```
+
+</TabItem>
+
+</Tabs>
+
+</TabItem>
+
+</Tabs>
+
 Send a request to the Route without modifying the user agent:
 
 ```shell