Forum Discussion
Ali_F_101979
Nimbostratus
NimbostratusRestrict admin GUI to certain IPs
Using 3400 & 6400 with v9.4.3 HF1, I used the following commands to restrict GUI (webadmin) access to one ip: (example)
b httpd allow 192.168.1.254/255.255.255.255
b save all
bigstart restart httpd
The above doesn't work. If I look at /etc/hosts.allow file, I don't see the above restriction being added! I didn't try to modify /config/httpd.conf and /etc/hosts.allow files manually because at the top of the files, they say:
THIS IS AN AUTO-GENERATED FILE -- DO NOT EDIT!!!
Use the bigpipe shell utility to make changes to the system configuration.
Does anyone know how to restrict management https access to one or more IP addresses?
Thanks!
hoolioCirrostratus
When you change use b httpd allow IP, it should modify the internal database and the httpd.conf. You can view the configuration using 'b db list'. The key is called service.httpd.allow:
db service.httpd.allow {
"10.11.12.13/32"
}
You should also see the httpd.conf modified:
Controls who can get stuff from this server.
Order Deny,Allow
Allow from 127 10.11.12.13/32/32
However, it doesn't look like there is a deny from clause which would actually block access from any other ip/range.
I would have expected it to look like this:
Controls who can get stuff from this server.
Order Deny,Allow
Allow from 127 192.168.99.210/32
deny from all
Anyone else know the story on this?
Aaron
Ali_F_101979Thanks Aaron. I just tested again and noticed that if I add "deny from all" to httpd.conf, it will work. A workaround is to copy modified httpd.conf and restart daemon in "/config/startup" file everytime F5 starts up. But, i will check with tech support for a permanent fix.
Thanks again!
AF