Skip to Main Content

Infrastructure Software


For appeals, questions and feedback, please email

Protect access to the SGD Gateway balancer-manager

Jan-OracleOct 3 2018 — edited Sep 13 2019

Since SGD 5.4 the gateway injects the client IP address, but usually only for the endpoint /sgd. This can be configured in /opt/SUNWsgdg/etc/gateway.xml. In the following configuration I added the end-point /balancer-manager to also receive the injected client IP address.

SGD 5.5 now base64 encodes the injected data.

<client class="HTTPINJECTOR-CLIENT" id="http-injector-client">

    <subClient id="tcpclient"/>


    <noinject path="/sgdadmin"/>

    <noinject name="TTA_SESSION_OBJECT" path="/sgd" src="cookie"/>

    <inject name="SSL_PEER_ID" path="/sgd" signeddata="uid" src="info"/>

    <inject name="OSGD_CHALLENGE_COOKIE" path="/sgd" signeddata="challenge" src="cookie"/>

    <inject name="CLIENT_IP_ADDR" path="/sgd" signeddata="clientip" src="info"/>

    <inject name="CLIENT_IP_ADDR" path="/balancer-manager" signeddata="clientip" src="info"/>

    <inject path="/sgd" signeddata="gateway-features" src="value" value="gateway-http-upgrade"/>

    <featurelist enabled="true"/>



Now requests will contain


SGD Gateway apache server configuration

In order to allow access to the balancer-manager only for specific IP addresses, protect the location as follows: In my example it will either allow users coming from class C subnet or the IP address or will ask for a username/password. It is best to consult the apache documentation about expressions to learn more how to use this directive. The file containing user names and passwords (/opt/SUNWsgdg.balancer_manager_passwords) has been created with the apache htpasswd command to be found in the bin directory of any apache install, like for example on the SGD gateway in /opt/SUNWsgdg/httpd/httpd-$(cat /opt/SUNWsgdg/var/info/apacheversion)/bin

Note: to setup you shell environment to be able to run the standard apache commands use the following command

# APACHE_PATH=/opt/SUNWsgdg/httpd/httpd-$(cat /opt/SUNWsgdg/var/info/apacheversion)
# source $APACHE_PATH/bin/envvars

We can create a password file with

# $APACHE_PATH/bin/htpasswd -cb /opt/SUNWsgdg.balancer_manager_passwords username password

# chown sgdgsys:sgdgserv /opt/SUNWsgdg.balancer_manager_passwords

So we can use it in our balancer-manager config block for our AuthType Basic. We are combining client IP restriction with password authentication by using RequireAll

httpd-gateway.conf balancer-manager config
LoadModule env_module modules/
# load SetEnvIf module

LoadModule setenvif_module modules/


# set Env variable and Header based on the base64 encoded OSGD-Signed-Data header


<If "unbase64(%{http:OSGD-Signed-Data}) =~ /clientip=([^;]*);/">

    SetEnvIfExpr "unbase64(req('OSGD-Signed-Data')) =~ /clientip=([^;]*);/" CLIENT_IP=$1

    RequestHeader set X-Client-IP %{CLIENT_IP}e

    # optionally provide the unencoded data as header as well

    RequestHeader set X-OSGD-Unsigned-Data "expr=%{unbase64:OSGD-Signed-Data}"


<Location /balancer-manager>

    SetHandler balancer-manager

    AuthType Basic

    AuthName "Balancer Manager"

    AuthBasicProvider file

    AuthUserFile /opt/SUNWsgdg.balancer_manager_passwords



            Require expr "%{env:CLIENT_IP} -ipmatch ''"

            Require expr "%{env:CLIENT_IP} == ''"


        Require valid-user



After performing these configuration file changes, you can either restart the gateway with the /opt/SUNWsgdg/bin/gateway command or use $APACHE_PATH/bin/apachectl graceful command and access /balancer-manager after entering the proper credentials and coming from the configured IP address.

Post Details
Added on Oct 3 2018