Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

Allow access to AEM instances only for certain IPs from vHost configurations

ReachPriyadarsh
Level 2
Level 2

Hi,

Currently, our AEM instances are public when accessed over the author domains. I am trying to use the below file on to allow access to AEM for certain IPs only

## Update /etc/httpd/conf.d/variables/ams_default.vars with setting the AUTHOR_WHITELIST_ENABLED from 0 or 1 to enable or disable ip restriction rules

<If "${AUTHOR_WHITELIST_ENABLED} == 1">

Include /etc/httpd/conf.d/whitelists/*_whitelist.rules

</If>

I am creating a new whitelist.rules file and expecting it to be picked by the vhost file. Is this the correct approach? The current file 000_base_whitelist.rules has the below default data.

## Include this in a directory context of the virtual host you want to restrict and apply a whitelist of IP's

## Here are some examples:

### Regular expressions are used for X-FORWARDED-FOR if your dispatcher is behind a load balancer

# SetEnvIf X-FORWARDED-FOR ^199\.83\.(12[8-9]|13[0-5])\.[0-9]{1,3}$ AllowIP

# SetEnvIf X-FORWARDED-FOR ^198\.143\.(3[2-9]|[4-5][0-9]|6[0-3])\.[0-9]{1,3}$ AllowIP

### Here are some rules for CIDR ip blocks and single addresses

# Allow from XXX.XXX.XX.X/XX

# Allow from XXX.XXX.XXX.XX

Order deny,allow

Deny from all

Allow from env=AllowIP

Can I get the syntax in which the filter needs to be written to allow only certain IPs to be accessible?

2 Replies
Gaurav-Behl
Community Advisor
Community Advisor

Did you get a chance to try exactly as mentioned in your example file -

SetEnvIf X-FORWARDED-FOR  <IP REGEX> AllowIP   # it assumes that your LB is setting X-FORWARDED-FOR header with incoming IP

or if its a single IP/CIDR block-

Allow from XXX.XXX.XX.X/XX

 

Order deny,allow
Deny from all
Allow from env=AllowIP

smacdonald2008
Level 10
Level 10

This is more of Network/Apache issue then AEM. Confirmed with customer support as well.