IP Whitelist/Blacklist configuration

IP Whitelist/Blacklist configuration

Applications Manager does not have support for filtering access through the request ip's. However making use of the underlying Tomcat app server, this can be achieved. 
Users should ideally use a network firewall to restrict IP based access (this is the best method unless you need the web server to be accessable but the Applications Manager server to be not).

 Steps

  1. Take a bakup and open <apm-home>/working/apache/tomcat/conf/backup/server.xml
  2. Search <Valve className="com.adventnet.appmanager.tomcatagent.ver5.valve.AdventNetHostValve"/>
  3. You can either whitelist or blacklist IP addresses. Add the line below as per your requirement under the line found in 2nd step.
    Provide your ip pattern in highlighted placeholders:
    1. To whitelist IP addresses : 
      <Valve className="org.apache.catalina.valves.RemoteAddrValve" denyStatus="500" allow="<your-ip-pattern-to-allow>" />
    2. To blacklist IP addresses : 
      <Valve className="org.apache.catalina.valves.RemoteAddrValve" denyStatus="500" deny="<your-ip-pattern-to-deny>" />
  4. Restart APM and verify the configurations by accessing it.
On Accessing Applications Manager from a restricted IP: HTTP ERROR 500 will be returned as response.

Sample Configuration

Configuration to whitelist a set of IP addresses : 
  1. <Valve className="org.apache.catalina.valves.RemoteAddrValve" denyStatus="500" allow="^(127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|10\.14\.17\.1|10\.14\.18\.1)$" />

 

Breakdown of configuration

  1. Whitelist  - allow access to only specific set of IP's that match the regex pattern.
  2. Blacklist   - deny access to specific set of IP's that match the regex pattern. 

Sample regex Pattern : ^(127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|10\.14\.17\.1|10\.14\.18\.1)$"

Note: Multiple set of IP's are separated by pipe character.
  1. To access Applications Manager via 127.xx.xx.xx and ::1 and 0:0:0:0:0:0:0:1 which are local ipv4 and ipv6 addresses. i.e in the same machine:
    1. 127\.\d+\.\d+\.\d+
    2. ::1
    3. 0:0:0:0:0:0:0:1
  2. To access Applications Manager via 10.14.17.1 and 10.14.18.1 which are user specific IP's:
    1. 10\.14\.17\.1
    2. 10\.14\.18\.1

IP's can be mentioned in wild-card pattern too. eg., To allow all IP's starting with 10.14.xx.xx

  1. <Valve className="org.apache.catalina.valves.RemoteAddrValve" denyStatus="500" allow="^(127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|10\.14\.\d+\.\d+)$" />

References

  1. If you are manually editing a file, always take a backup of that file and use it to replace it back in case you encounter any issues.
  2. Tomcat 9 - RemoteAddress Valve
Feel free to contact appmanager-support@manageengine.com in case of further questions.

      New to ADSelfService Plus?

        Resources