Usually access to /sgdadmin happens either via the SGD Workspace or the direct link from the SGD home page. In order to protect access to /sgdadmin we can use the gateway and the client IP injection, the same way we protect the /balancer-manager of the gateway. We need to change the gateway.xml configuration to inject the Client IP for /sgdadmin as well. We need to comment out the noinject for /sgdadmin and add a line to inject the CLIENT_IP_ADDR. We also need to make sure the path for the TTA_SESSION_OBJECT no-injection is more specific.
Here is the corresponding block in my gateway.xml file. Since SGD 5.5 the gateway base64 encodes the injected data, so we need to take care of that
<client id="http-injector-client" class="HTTPINJECTOR-CLIENT">
<subClient id="tcpclient"/>
<maxBufferSize>8192</maxBufferSize>
<!--noinject path="/sgdadmin" /-->
<noinject name="TTA_SESSION_OBJECT" src="cookie" path="/sgd/"/> <!-- the path MUST be /sgd/ -->
<inject name="SSL_PEER_ID" src="info" signeddata="uid" path="/sgd"/>
<inject name="OSGD_CHALLENGE_COOKIE" src="cookie" signeddata="challenge" path="/sgd"/>
<inject name="CLIENT_IP_ADDR" src="info" signeddata="clientip" path="/sgd"/>
<inject name="CLIENT_IP_ADDR" src="info" signeddata="clientip" path="/sgdadmin"/>
<inject name="CLIENT_IP_ADDR" src="info" signeddata="clientip" path="/balancer-manager"/>
<inject name="X-Forwarded-For" src="header" signeddata="xforwardclientip" path="/sgd"/>
<featurelist enabled="true"/>
<signedDataEncoding>application/base64</signedDataEncoding>
Next we need to configure the SGD gateway apache server to protect the Location /sgdadmin
LoadModule env_module modules/mod_env.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_user_module modules/mod_authz_user.so
#
# set Env variable and Header based on the base64 encoded OSGD-Signed-Data header
#
<If "unbase64(%{http:OSGD-Signed-Data}) =~ /clientip=([^;]*);/">
SetEnvIfExpr "unbase64(req('OSGD-Signed-Data')) =~ /clientip=([^;]*);/" CLIENT_IP=$1
RequestHeader set X-Client-IP %{CLIENT_IP}e
# optionally provide the unencoded data as header as well
RequestHeader set X-OSGD-Unsigned-Data "expr=%{unbase64:OSGD-Signed-Data}"
</If>
#
# modify log file format to include the CLIENT_IP for better troubleshooting
#
ErrorLogFormat "[%t] [%l] [pid %P] %F: %E: [client %a] CLIENT_IP=%{CLIENT_IP}e %M"
LogFormat "%h - CLIENT_IP=%{CLIENT_IP}e %l %u %t \"%r\" %>s %b \"%{Referer}i\"" sgdgw
CustomLog logs/access_log sgdgw
#
<Location /sgdadmin>
AuthType Basic
AuthName "SGDAdmin"
<RequireAny>
# any other IP addresses
Require expr "%{env:CLIENT_IP} -ipmatch '67.180.102.252'"
</RequireAny>
</Location>
Now only requests from 67.180.102.252 are allowed to access /sgdadmin