Forum Discussion

Ali_F_101979's avatar
Ali_F_101979
Icon for Nimbostratus rankNimbostratus
Jan 29, 2008

Restrict admin GUI to certain IPs

Using 3400 & 6400 with v9.4.3 HF1, I used the following commands to restrict GUI (webadmin) access to one ip: (example)

 

b httpd allow 192.168.1.254/255.255.255.255

 

b save all

 

bigstart restart httpd

 

 

The above doesn't work. If I look at /etc/hosts.allow file, I don't see the above restriction being added! I didn't try to modify /config/httpd.conf and /etc/hosts.allow files manually because at the top of the files, they say:

 

 

THIS IS AN AUTO-GENERATED FILE -- DO NOT EDIT!!!

 

 

Use the bigpipe shell utility to make changes to the system configuration.

 

 

Does anyone know how to restrict management https access to one or more IP addresses?

 

 

Thanks!
config
design

2 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jan 30, 2008
    When you change use b httpd allow IP, it should modify the internal database and the httpd.conf. You can view the configuration using 'b db list'. The key is called service.httpd.allow:

     

     

    db service.httpd.allow {

     

    "10.11.12.13/32"

     

    }

     

     

    You should also see the httpd.conf modified:

     

     

     

     

    Controls who can get stuff from this server.

     

     

    Order Deny,Allow

     

    Allow from 127 10.11.12.13/32/32

     

     

     

     

     

     

    However, it doesn't look like there is a deny from clause which would actually block access from any other ip/range.

     

     

    I would have expected it to look like this:

     

     

     

     

    Controls who can get stuff from this server.

     

     

    Order Deny,Allow

     

    Allow from 127 192.168.99.210/32

     

    deny from all

     

     

     

     

     

    Anyone else know the story on this?

     

     

    Aaron
  • Ali_F_101979's avatar
    Ali_F_101979
    Icon for Nimbostratus rankNimbostratus
    Jan 30, 2008
    Thanks Aaron. I just tested again and noticed that if I add "deny from all" to httpd.conf, it will work. A workaround is to copy modified httpd.conf and restart daemon in "/config/startup" file everytime F5 starts up. But, i will check with tech support for a permanent fix.

     

     

    Thanks again!

     

    AF