This repository is automatically updated with EVERTRUST's CIDR ranges for whitelisting purposes. Each line represents a valid CIDR range according to RFC 4632.
The latest version is available at all times at: https://raw.githubusercontent.com/evertrust/ip-addresses/main/ips.txt.
We recommend pulling this database every day, as we may add or remove addresses with a 48h interval.
For conveniance purposes, this repository also keeps an index of some third-party vendor IPs lists that are regularly updated. These lists come without any guarantee and are usually tailored for EVERTRUST's software integrations.
Currently, the following lists are maintained:
-
azuread_ips.txt: the list of IPs used for SCIM provisioning for Entra (formerly Azure AD)
-
betteruptime_ips.txt: the list of IPs used for Better Uptime
-
jamf_ips.txt: the list of IPs used for Jamf.
Generate a Kubernetes ConfigMap with one ModSecurity rule file per IP list:
mise run generate-modsecurity-configmapThis writes modsecurity-rules-configmap.yaml. The ConfigMap keys keep the service names, for example azuread.conf, betteruptime.conf, and jamf.conf. The root ips.txt list is written as evertrust.conf.
Each generated file sets tx.allowed_source_ip=1 when REMOTE_ADDR matches its IP list. Add the final deny rule in the ingress annotation after the selected includes:
nginx.ingress.kubernetes.io/enable-modsecurity: "true"
nginx.ingress.kubernetes.io/modsecurity-snippet: |
SecAction "id:9998,phase:1,pass,nolog,setvar:tx.allowed_source_ip=0"
Include /etc/nginx/modsecurity/ips/jamf.conf
Include /etc/nginx/modsecurity/ips/betteruptime.conf
SecRule TX:allowed_source_ip "@eq 0" "id:9999,phase:1,log,drop,status:444,severity:INFO"Set CONFIGMAP_NAME or pass an output path to the script to customize the generated manifest:
CONFIGMAP_NAME=my-modsecurity-rules ./scripts/generate_modsecurity_configmap.sh ./configmap.yaml