Final resolution - the issue with the body templates was just misconfiguration, easily solved.
The other problem was a bit trickier. For inbound IP allow processing, if no methods are permitted then the connection is immediately closed in order to prevent DOS attacks. To get the effect Trilok wanted the IP allow check needs to be delayed. The best way I could see to do this is to allow a nonsensical method. This cause the processing to delay until after the request has been parsed in order to check the method, but will (effectively) block any method and provide a standard denied response which uses the body templates. Something like ip_allow: apply: in ip_addr: 192.168.0.0/16 action: allow method: "Twas brillig and the slithy toves did gyre and gimble in the wabe" This allows inbound from those addresses but only if the method is about slithy toves. All other methods will be denied. Because methods can't have spaces (due to the way the request is parsed) it is not really possible for this to allow the request and even if it does nothing upstream is going to understand it. I think we may want to formalize this and add an option to prevent an early decision, so one could do apply: in ip_addr: 192.168.0.0/16 action: deny early: disable # don't close in early processing.
