上次更新時間
2021年4月29日
Issue
Generally authoring instance is usually located behind a company's firewall that provides full protection. For external access OR to improve the authoring performance the instance may be exposed through webserver using dispatcher module [0] to external world. How to restrict system-level access to a single IP or a range of IP addresses for increased security?
Solution
Using a ModSecurity [1] rule is one of the option to limit the use of the "admin" login via certain IPs. The steps are
- Install the plugin mod_security
- Load/Enable the mod_security & unique_id_module in httpd.conf
- Configure a security rules & for more details refer[2].
An sample httpd.conf for apache (Steps 2 & 3 above) to allow system admin login only from ip 172.16.208.11 is shown below
. . . LoadModule unique_id_module modules/mod_unique_id.so LoadModule security2_module modules/mod_security2.so . . . <IfModule mod_security2.c> SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess Off </IfModule> . . . <LocationMatch /libs/cq/core/content/login.html/j_security_check> SecRule REMOTE_ADDR "!@ipMatch 172.16.208.11" "id:'23000',chain,deny,log" SecRule ARGS:j_username "admin" "t:lowercase" </LocationMatch>
註解:
Same can be applied to webserver configured for publish instance.