Forum Discussion
Jose_Santiago_O
Nimbostratus
NimbostratusOneConnect and IP access.
Hi,
I'm considering enabling OneConnect in my site, my site is private (you have to provide a user and password to access to more information), but we have configured in my web servers, several ip/mask that can navigate freely in the whole site without asking for user/password.
I'm reading that with 0.0.0.0 mask, the web server will log only the original IP address, my question is: If one person from one of my allowed hosts enters and then this connection is re-used from another person on another ip (un-restricited) Will this person have free access to my whole site?
In my web-servers I am using an isapi to catch the ip address on every request. In my virtual server I have also source-address persistence.
Regards,
Jose Oyervides.
- Hi Jose -
If your servers are conditioning access on the actual L3 address header and not the X-Forwarded-For header value, then yes, your security scheme would be subverted if you apply the default OneConnect profile.
You can still take advantage of OneConnect and still prevent sharing the serverside connection (and apparent source address) with users from other addresses. Just apply a custom OneConnect profile with a host mask (255.255.255.255) or a subnet mask as small as your smallest subnet. That will limit sharing of connections to only those who match the original request IP/subnet.
(LTM persistence is based on the original clientside source IP, so that won't cause any problems.)
HTH
/deb
