Skip to Main Content

Infrastructure Software

Announcement

For appeals, questions and feedback, please email oracle-forums_moderators_us@oracle.com

Protect access to the SGD Gateway balancer-manager

Jan-OracleOct 3 2018 — edited Sep 13 2019

Since SGD 5.4 the gateway injects the client IP address, but usually only for the endpoint /sgd. This can be configured in /opt/SUNWsgdg/etc/gateway.xml. In the following configuration I added the end-point /balancer-manager to also receive the injected client IP address.

SGD 5.5 now base64 encodes the injected data.

/opt/SUNWsgdg/etc/gateway.xml
<client class="HTTPINJECTOR-CLIENT" id="http-injector-client">

    <subClient id="tcpclient"/>

    <maxBufferSize>8192</maxBufferSize>

    <noinject path="/sgdadmin"/>

    <noinject name="TTA_SESSION_OBJECT" path="/sgd" src="cookie"/>

    <inject name="SSL_PEER_ID" path="/sgd" signeddata="uid" src="info"/>

    <inject name="OSGD_CHALLENGE_COOKIE" path="/sgd" signeddata="challenge" src="cookie"/>

    <inject name="CLIENT_IP_ADDR" path="/sgd" signeddata="clientip" src="info"/>

    <inject name="CLIENT_IP_ADDR" path="/balancer-manager" signeddata="clientip" src="info"/>

    <inject path="/sgd" signeddata="gateway-features" src="value" value="gateway-http-upgrade"/>

    <featurelist enabled="true"/>

    <signedDataEncoding>application/base64</signedDataEncoding>

</client>

Now requests will contain

HTTP_OSGD_SIGNED_DATA="clientip=156.151.8.2;gateway-features=routing-token-nocert,gateway-http-upgrade;timestamp=1532641478482"

SGD Gateway apache server configuration

In order to allow access to the balancer-manager only for specific IP addresses, protect the location as follows: In my example it will either allow users coming from class C subnet 156.151.8.0 or the IP address 67.180.102.252 or will ask for a username/password. It is best to consult the apache documentation about expressions to learn more how to use this directive. The file containing user names and passwords (/opt/SUNWsgdg.balancer_manager_passwords) has been created with the apache htpasswd command to be found in the bin directory of any apache install, like for example on the SGD gateway in /opt/SUNWsgdg/httpd/httpd-$(cat /opt/SUNWsgdg/var/info/apacheversion)/bin

Note: to setup you shell environment to be able to run the standard apache commands use the following command

# APACHE_PATH=/opt/SUNWsgdg/httpd/httpd-$(cat /opt/SUNWsgdg/var/info/apacheversion)
# source $APACHE_PATH/bin/envvars

We can create a password file with

# $APACHE_PATH/bin/htpasswd -cb /opt/SUNWsgdg.balancer_manager_passwords username password

# chown sgdgsys:sgdgserv /opt/SUNWsgdg.balancer_manager_passwords

So we can use it in our balancer-manager config block for our AuthType Basic. We are combining client IP restriction with password authentication by using RequireAll

httpd-gateway.conf balancer-manager config
LoadModule env_module modules/mod_env.so
# load SetEnvIf module

LoadModule setenvif_module modules/mod_setenvif.so

#

# set Env variable and Header based on the base64 encoded OSGD-Signed-Data header

#

<If "unbase64(%{http:OSGD-Signed-Data}) =~ /clientip=([^;]*);/">

    SetEnvIfExpr "unbase64(req('OSGD-Signed-Data')) =~ /clientip=([^;]*);/" CLIENT_IP=$1

    RequestHeader set X-Client-IP %{CLIENT_IP}e

    # optionally provide the unencoded data as header as well

    RequestHeader set X-OSGD-Unsigned-Data "expr=%{unbase64:OSGD-Signed-Data}"

</If>

<Location /balancer-manager>

    SetHandler balancer-manager

    AuthType Basic

    AuthName "Balancer Manager"

    AuthBasicProvider file

    AuthUserFile /opt/SUNWsgdg.balancer_manager_passwords

    <RequireAll>

        <RequireAny>

            Require expr "%{env:CLIENT_IP} -ipmatch '156.151.8.0/24'"

            Require expr "%{env:CLIENT_IP} == '67.180.102.252'"

        </RequireAny>

        Require valid-user

    </RequireAll>

</Location>

After performing these configuration file changes, you can either restart the gateway with the /opt/SUNWsgdg/bin/gateway command or use $APACHE_PATH/bin/apachectl graceful command and access /balancer-manager after entering the proper credentials and coming from the configured IP address.

Comments
Post Details
Added on Oct 3 2018
0 comments
189 views