Hey all, I have a wan facing install due to many of my team operating with mobile phone hotspots whilst visiting customers. An Issue I'm having is I want to restrict the GUI to only our admin team's IP address but editing the Apache Config with; # webUI is now completely static, and served out of that directory Alias /ipa/ui "/usr/share/ipa/ui" <Directory "/usr/share/ipa/ui"> SetHandler None AllowOverride None Satisfy Any Require all granted ExpiresActive On ExpiresDefault "access plus 1 year" <FilesMatch "(index.html|loader.js|login.html|reset_password.html)"> ExpiresDefault "access plus 0 seconds" </FilesMatch> Order allow,deny Allow from <ADMIN IP RANGE> </Directory> Is still allowing anyone with a browser to reach the IPA gui. We have Keycloak in place for staff and users to update their passwords. Any pointers? I would personally prefer to firewall it off but that effects other IPA features.
Entrepreneur AJ via FreeIPA-users wrote:
Hey all, I have a wan facing install due to many of my team operating with mobile phone hotspots whilst visiting customers. An Issue I'm having is I want to restrict the GUI to only our admin team's IP address but editing the Apache Config with; # webUI is now completely static, and served out of that directory Alias /ipa/ui "/usr/share/ipa/ui" <Directory "/usr/share/ipa/ui"> SetHandler None AllowOverride None Satisfy Any Require all granted ExpiresActive On ExpiresDefault "access plus 1 year" <FilesMatch "(index.html|loader.js|login.html|reset_password.html)"> ExpiresDefault "access plus 0 seconds"
</FilesMatch> Order allow,deny Allow from <ADMIN IP RANGE> </Directory> Is still allowing anyone with a browser to reach the IPA gui. We have Keycloak in place for staff and users to update their passwords. Any pointers? I would personally prefer to firewall it off but that effects other IPA features.
Use Require instead of Allow/Order. See https://httpd.apache.org/docs/2.4/howto/access.html
rob
Hi Rob, I used the link you sent and tried many iterations, including enabling .htaccess override and trying it in a .htaccess file non of them worked running httpd -M | grep auth shows that the relevant module is enabled.
I tried changing Require all granted to Require all denied just to get it blocking all as a first step and that still allows access. Any other pointers?
Entrepreneur AJ via FreeIPA-users wrote:
Hi Rob, I used the link you sent and tried many iterations, including enabling .htaccess override and trying it in a .htaccess file non of them worked running httpd -M | grep auth shows that the relevant module is enabled.
I tried changing Require all granted to Require all denied just to get it blocking all as a first step and that still allows access. Any other pointers?
I'm guessing that validation first occurs in /ipa and with a valid user they are allowed in. Try something like this in the /ipa Location.
<RequireAll> Require valid-user Require ip 10.1.100 </RequireAll>
Guess my reply failed on this that seemed to work. Not the prettiest but a pop up message saying forbidden is returned now instead of allowing anyone to access.
freeipa-users@lists.fedorahosted.org