community.
Is it possible to limit access to certain URIs (say /myapp/admin/*) based on requester IP on a Weblogic server?
I'd like to allow access only from trusted machines in local network and deny all others BUT only regarding this specific URIs. Other application locations should be accessible for everyone.
The question is, whether it is achievable without development of a separate Filter class?
I found just this in Apache "Location" directive, but sadly no similar stuff in Weblogic.
Thanks.
Related
I'm new in Microsoft Azure and we are encountering problem in limiting access in specific page of our website to specific ip address. What we would like to do is only specific ip address can visit certain pages like /user, /admin. We don't know if there's a way in allowing specific ip using Web.Config.
I hope you can help me. Thank you
I think you need to look at Application Gateway to restricte IP to a specific route.
https://learn.microsoft.com/en-us/azure/application-gateway/tutorial-restrict-web-traffic-powershell
It is possible to do it in the web config:
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/ipsecurity/
Example: Is it possible to configure a location in Web.config to only allow local connections
If you want to allow specific IP address on a specific route, then you can create a custom IP filter attribute like this, and you can put it on your controllers:
Restrict access to a specific controller by IP address in ASP.NET MVC Beta
We have a newly-configured Sharepoint 2013 server installation, which serves our company Intranet.
The new Intranet is now in service and operational.
Next, we need to create another top-level site which will serve as an Extranet portal for clients.
Sharepoint Central Administration does not provide a method by which a separate IP address can be
selected for a new site; instead, it provides port selection or entry only.
We need to route external traffic to the extranet site, which requires either a mapped internal IP
address or a different port. The main limitation we face is that most of our public-sector clients
cannot use a non-standard port due to their firewall restrictions. So, this means a unique IP.
In the exhaustive research conducted concerning this issue, it appears that the "best practice"
receommended by Microsoft themselves is nothing but a workaround, where part of the process is
performed in SP Central Admin and the other half in IIS.
We have found many articles and blogs mentioning alternative ports, but none which address this situation directly.
Now we're trying to contend with Alternate Access Mappings, which are confusing our admins.
We really need the voice of experience from someone who has actually done this before.
Question: what is the correct way of achieving our goal?
Your users will access the site based on a host name I guess, not on an IP address?
So, you will have an intranet under http://intranet and you now want to create an extranet under http://extranet.
The fact that extranet is on another IP address and routed to your SharePoint farm is not really an issue.
What you need to do, is to create another web application with as host name http://extranet
Your firewall / network hardware must then forward http://extranet to your SharePoint servers. IIS will see "extranet" and serve the extranet.
If your users will access it via the IP-address, it's similar. Instead of http://extranet, you enter http://ext.ip.addr as the host name.
Background:
I'm hosting 2 separate Website instances - 1 for a WebAPI2 "API", and 1 as an MVC5 "Client" that consumes said API. I would like to restrict access for the "API" to the "Client" (there are multiple clients)
(I've only seen answers for Cloud Services or VMs, so wanted to ask if there was anything I could use for Websites. I don't want to use a cloud service or a VM, as the website is faster, lighter, cheaper - which is what I need.... could not find a firewall feature for Websites in Azure.)
Problem:
I believe I can limit access to the "API" by setting parameters in the project's Web.Config file.
But nslookup in the command prompt yields the same IP Address for all azure websites under my account.
Question:
How do I find the right IP Address -- one that the "Client" website will use to access the "API" Website instance?
If there is a better way to restrict access...please do suggest it.
You cannot secure your site by IP ACLing as web sites in Azure are running in a multi-tenant environment and they share set of IP addresses (IP addresses are per DC).
You need to rely on different security mechanisms (using some secret which only client/server know etc.).
Hope that helps.
You can also take a look at How to determine Azure website outgoing IP Address?
Petr
We currently have an Amazon VPC containing several instances, all using the same security group.
Unfortunately, we have off-site staff who connect to our network via VPN. These users have an elastic IP address, meaning we're finding it tough to give them reliable access via the security group.
Does anyone know of a way of giving access via MAC address? Its the only solution i can think of other than arranging for them to have static IP's. Any ideas? Haven't been able to find a thing elsewhere online!
Cheers,
Per the security group documentation, only IP addresses/networks in CIDR notation and security group IDs are permitted as rules. You cannot use DNS, nor is there a straightforward way to allow access from a dynamic IP address such as in the case of your off-site staff.
You could set up a jump/bastion host in your VPC, harden it properly, allow access from everywhere to that jump host, and then allow that jump host to access your other instances in the VPC.
Alternatively, Dome9 offers a nifty service that adds an extension to users browsers to permit temporary access. Basically you authorize Dome9 to make changes to your security group. The user clicks the browser extension, Dome9 changes the security group to allow access from that user's IP address for some amount of time, and removes the rule when the time is up.
I am creating software that allows users to either have their own custom subdomain (e.g: theirsubdomain.mydomain.com) or point a CNAME from their own domain to my website address (e.g: theirsubdomain.theirdomain.com).
I've contacted my host about this and the first subdomain option is cool. They will set-up a wilcard subdomain script for me...
The CNAME they said I can't do automatically. I will have to manually go into my account and add the domain to point to my website address otherwise apache wont now where to look for the files.
Is this common practice or is there a way around this that is automated?
The issue is the HTTP header. When you request a Web page the browser sends a request that starts out with:
GET /mypage.html HTTP/1.1
Host: www.mysite.com
The Host item allows a single Web server to serve pages for multiple domains. By looking at the Host, the server knows that mypage.html should come from its stored files for mysite.com, and not from the files of myothersite.com which is on the same server.
I am guessing your site is on a shared Web server at your host company, and they use this functionality to differentiate between requests for your site and requests for other sites that sit on that same virtual box. Some of these virtual hosts, like HostGator, will allow you to specify other domains that should be accepted on this Host line and where the returned documents should come from. This often is a more premium service offered by companies. For example on HostGator they say "The Baby and Business hosting plans allow for unlimited domains to be hosted on just one single account", however the basic Hatchling plan does not allow this.
If you have your own rented machine, with your own installation of Apache, you can manage the processing of this HTTP header information yourself. Apache supports virtual hosts, see the following documentation: http://httpd.apache.org/docs/2.2/vhosts/
So basically, you have to have some way to tell Apache (or whatever server you are using) that the files for a particular Host value corresponds to the same files for your domain, since a single Apache server may be providing files hundreds of different domains. If you are not administering your own Apache server, to where you can set up virtual hosts as shown in the documentation, the hosting service would have to provide some custom way to get this information to Apache.