Skip to Main Content

Protect access to /sgdadmin by client IP address on the SGD gateway

Jan-OracleJul 3 2019 — edited Sep 13 2019

Usually access to /sgdadmin happens either via the SGD Workspace or the direct link from the SGD home page. In order to protect access to /sgdadmin we can use the gateway and the client IP injection, the same way we protect the /balancer-manager of the gateway. We need to change the gateway.xml configuration to inject the Client IP for /sgdadmin as well. We need to comment out the noinject for /sgdadmin and add a line to inject the CLIENT_IP_ADDR. We also need to make sure the path for the TTA_SESSION_OBJECT no-injection is more specific.

Here is the corresponding block in my gateway.xml file. Since SGD 5.5 the gateway base64 encodes the injected data, so we need to take care of that

<client id="http-injector-client" class="HTTPINJECTOR-CLIENT">

    <subClient id="tcpclient"/>

    <maxBufferSize>8192</maxBufferSize>

    <!--noinject path="/sgdadmin" /-->

    <noinject name="TTA_SESSION_OBJECT" src="cookie" path="/sgd/"/> <!-- the path MUST be /sgd/ -->

    <inject name="SSL_PEER_ID" src="info" signeddata="uid" path="/sgd"/>

    <inject name="OSGD_CHALLENGE_COOKIE" src="cookie" signeddata="challenge" path="/sgd"/>

    <inject name="CLIENT_IP_ADDR" src="info" signeddata="clientip" path="/sgd"/>

    <inject name="CLIENT_IP_ADDR" src="info" signeddata="clientip" path="/sgdadmin"/>

    <inject name="CLIENT_IP_ADDR" src="info" signeddata="clientip" path="/balancer-manager"/>

    <inject name="X-Forwarded-For" src="header" signeddata="xforwardclientip" path="/sgd"/>

    <featurelist enabled="true"/>

    <signedDataEncoding>application/base64</signedDataEncoding>

</client>

Next we need to configure the SGD gateway apache server to protect the Location /sgdadmin

LoadModule env_module modules/mod_env.so

LoadModule setenvif_module modules/mod_setenvif.so

LoadModule auth_basic_module modules/mod_auth_basic.so

LoadModule authn_file_module modules/mod_authn_file.so

LoadModule authz_user_module modules/mod_authz_user.so

#

# set Env variable and Header based on the base64 encoded OSGD-Signed-Data header

#

<If "unbase64(%{http:OSGD-Signed-Data}) =~ /clientip=([^;]*);/">

    SetEnvIfExpr "unbase64(req('OSGD-Signed-Data')) =~ /clientip=([^;]*);/" CLIENT_IP=$1

    RequestHeader set X-Client-IP %{CLIENT_IP}e

    # optionally provide the unencoded data as header as well

    RequestHeader set X-OSGD-Unsigned-Data "expr=%{unbase64:OSGD-Signed-Data}"

</If>

#

# modify log file format to include the CLIENT_IP for better troubleshooting

#

ErrorLogFormat "[%t] [%l] [pid %P] %F: %E: [client %a] CLIENT_IP=%{CLIENT_IP}e %M"

LogFormat "%h - CLIENT_IP=%{CLIENT_IP}e %l %u %t \"%r\" %>s %b \"%{Referer}i\"" sgdgw

CustomLog logs/access_log sgdgw

#

<Location /sgdadmin>

    AuthType Basic

    AuthName "SGDAdmin"

    <RequireAny>

        # any other IP addresses

        Require expr "%{env:CLIENT_IP} -ipmatch '67.180.102.252'"

    </RequireAny>

</Location>

Now only requests from 67.180.102.252 are allowed to access /sgdadmin

Comments
Post Details
Added on Jul 3 2019
0 comments
35 views