Issue

Generally authoring instance is usually located behind a company's firewall that provides full protection. For external access OR to improve the authoring performance the instance may be exposed through webserver using dispatcher module [0] to external world.  How to restrict system-level access to a single IP or a range of IP addresses for increased security?

Solution

Using a ModSecurity [1] rule is one of the option to limit the use of the "admin" login via certain IPs. The steps are

  1. Install the plugin mod_security
  2. Load/Enable the mod_security & unique_id_module in httpd.conf
  3. Configure a security rules  & for more details refer[2]. 

An sample httpd.conf for apache (Steps 2 & 3 above) to allow system admin login only from ip 172.16.208.11 is shown below

.
.
.

LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so

.
.
.

<IfModule mod_security2.c>
	SecRuleEngine On
	SecRequestBodyAccess On
	SecResponseBodyAccess Off
</IfModule>

.
.
.

<LocationMatch /libs/cq/core/content/login.html/j_security_check>
	SecRule REMOTE_ADDR "!@ipMatch 172.16.208.11" "id:'23000',chain,deny,log"
	SecRule ARGS:j_username "admin" "t:lowercase"
</LocationMatch>

Opomba:

Same can be applied to webserver configured for publish instance.

Reference

Za ta izdelek je bila izdana neprenosljiva licenca za priznanje avtorstva, nekomercialno uporabo in skupno rabo pod enakimi pogoji 3.0  Objav v storitvah Twitter™ in Facebook ne urejajo pogoji pogodbe Creative Commons.

Pravna obvestila   |   Pravilnik o zasebnosti v spletu