Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.

Allow access to AEM instances only for certain IPs from vHost configurations

Avatar

Level 2

Hi,

Currently, our AEM instances are public when accessed over the author domains. I am trying to use the below file on to allow access to AEM for certain IPs only

## Update /etc/httpd/conf.d/variables/ams_default.vars with setting the AUTHOR_WHITELIST_ENABLED from 0 or 1 to enable or disable ip restriction rules

<If "${AUTHOR_WHITELIST_ENABLED} == 1">

Include /etc/httpd/conf.d/whitelists/*_whitelist.rules

</If>

I am creating a new whitelist.rules file and expecting it to be picked by the vhost file. Is this the correct approach? The current file 000_base_whitelist.rules has the below default data.

## Include this in a directory context of the virtual host you want to restrict and apply a whitelist of IP's

## Here are some examples:

### Regular expressions are used for X-FORWARDED-FOR if your dispatcher is behind a load balancer

# SetEnvIf X-FORWARDED-FOR ^199\.83\.(12[8-9]|13[0-5])\.[0-9]{1,3}$ AllowIP

# SetEnvIf X-FORWARDED-FOR ^198\.143\.(3[2-9]|[4-5][0-9]|6[0-3])\.[0-9]{1,3}$ AllowIP

### Here are some rules for CIDR ip blocks and single addresses

# Allow from XXX.XXX.XX.X/XX

# Allow from XXX.XXX.XXX.XX

Order deny,allow

Deny from all

Allow from env=AllowIP

Can I get the syntax in which the filter needs to be written to allow only certain IPs to be accessible?

2 Replies

Avatar

Level 10

Did you get a chance to try exactly as mentioned in your example file -

SetEnvIf X-FORWARDED-FOR  <IP REGEX> AllowIP   # it assumes that your LB is setting X-FORWARDED-FOR header with incoming IP

or if its a single IP/CIDR block-

Allow from XXX.XXX.XX.X/XX

 

Order deny,allow
Deny from all
Allow from env=AllowIP

Avatar

Level 10

This is more of Network/Apache issue then AEM. Confirmed with customer support as well.