Thursday, September 15, 2011

How to allow only certain IP address to connect to author instance

Problem: You want only certain IP address to access your author instance

Use case: You have a dispatcher in front of author instance and you want everyone to access author through dispatcher.

Solution:
Approach1: You can have your author in a DMZ or behind the firewall and open firewall port for only dispatcher.

Approach2: (Only available CQ 5.4 or lower)
modify server.xml under /crx-quickstart/server/etc/ and add following entry


<listener>
<access-constraint>
<deny>
<ip-address><IP address you want to deny></ip-address>
</deny>

<allow>
<ip-address><IP you want to allow></ip-address>
</allow>
</access-constraint>
......
</listener>

See server_3_0.dtd for details of tags.

Approach 3:

You can also use dispatcher.any file to allow specific IP


/allowedClients
        {
      /0000
          {
          /glob "*"
          /type "deny"
          }
        /0001
          {
          /glob "localhost"
          /type "allow"
          }
         /0002
           {
           /glob "127.0.0.1"
           /type "allow"
           }
       }

Approach 4:

Use Mod security apache module to restrict IP address. More detail about module can be found here

About Mod security Module: https://www.modsecurity.org/

Set up Mod security module in Apache: https://linode.com/docs/web-servers/apache-tips-and-tricks/configure-modsecurity-on-apache/

Restrict IP address using Mod security: https://www.codeproject.com/Articles/574935/BlockplusIPplususingplusModSecurity

5 comments:

  1. how to put many ip address? example deny from all except certain ip address?

    ReplyDelete
    Replies
    1. I have updated blog with approach 3 where you can leverage dispatcher.any to do this task.

      Yogesh

      Delete
  2. There is no server.xml file under /crx-quickstart/server/etc/ directory in AEM 5.6.1 installation.
    We have the requirement to allow only certain IP addresses to access Author instance and want every one else to go through Author Dispatcher.

    Approach 1 and 3 are not viable options. Approach 2 looks promising, but server.xml file is not available with AEM 5.6.1. Are there any other alternatives available for AEM 5.6.1?

    ReplyDelete
    Replies
    1. Other way is to use dispatcher in front of Author and use Apache module (Mod security) https://linode.com/docs/web-servers/apache-tips-and-tricks/configure-modsecurity-on-apache/ to restrict.

      Delete
  3. mod security can help us to achieve this

    https://helpx.adobe.com/experience-manager/kb/restrict-system-administrator-login-specific.html

    ReplyDelete