Thursday, September 15, 2011

How to allow only certain IP address to connect to author instance

Problem: You want only certain IP address to access your author instance

Use case: You have a dispatcher in front of author instance and you want everyone to access author through dispatcher.

Solution:
Approach1: You can have your author in a DMZ or behind the firewall and open firewall port for only dispatcher.

Approach2:
modify server.xml under /crx-quickstart/server/etc/ and add following entry


<listener>
<access-constraint>
<deny>
<ip-address><IP address you want to deny></ip-address>
</deny>

<allow>
<ip-address><IP you want to allow></ip-address>
</allow>
</access-constraint>
......
</listener>

See server_3_0.dtd for details of tags.

Approach 3:

You can also use dispatcher.any file to allow specific IP


/allowedClients
        {
      /0000
          {
          /glob "*"
          /type "deny"
          }
        /0001
          {
          /glob "localhost"
          /type "allow"
          }
         /0002
           {
           /glob "127.0.0.1"
           /type "allow"
           }
       }

3 comments:

  1. how to put many ip address? example deny from all except certain ip address?

    ReplyDelete
    Replies
    1. I have updated blog with approach 3 where you can leverage dispatcher.any to do this task.

      Yogesh

      Delete
  2. There is no server.xml file under /crx-quickstart/server/etc/ directory in AEM 5.6.1 installation.
    We have the requirement to allow only certain IP addresses to access Author instance and want every one else to go through Author Dispatcher.

    Approach 1 and 3 are not viable options. Approach 2 looks promising, but server.xml file is not available with AEM 5.6.1. Are there any other alternatives available for AEM 5.6.1?

    ReplyDelete