Protect access to the SGD Gateway balancer-manager

Jan-Oracle

Since SGD 5.4 the gateway injects the client IP address, but usually only for the endpoint /sgd. This can be configured in /opt/SUNWsgdg/etc/gateway.xml. In the following configuration I added the end-point /balancer-manager to also receive the injected client IP address.

SGD 5.5 now base64 encodes the injected data.

/opt/SUNWsgdg/etc/gateway.xml

<client class="HTTPINJECTOR-CLIENT" id="http-injector-client">     <subClient id="tcpclient"/>     <maxBufferSize>8192</maxBufferSize>     <noinject path="/sgdadmin"/>     <noinject name="TTA_SESSION_OBJECT" path="/sgd" src="cookie"/>     <inject name="SSL_PEER_ID" path="/sgd" signeddata="uid" src="info"/>     <inject name="OSGD_CHALLENGE_COOKIE" path="/sgd" signeddata="challenge" src="cookie"/>     <inject name="CLIENT_IP_ADDR" path="/sgd" signeddata="clientip" src="info"/>     <inject name="CLIENT_IP_ADDR" path="/balancer-manager" signeddata="clientip" src="info"/>     <inject path="/sgd" signeddata="gateway-features" src="value" value="gateway-http-upgrade"/>     <featurelist enabled="true"/>     <signedDataEncoding>application/base64</signedDataEncoding> </client>

Now requests will contain

HTTP_OSGD_SIGNED_DATA="clientip=156.151.8.2;gateway-features=routing-token-nocert,gateway-http-upgrade;timestamp=1532641478482"

SGD Gateway apache server configuration

In order to allow access to the balancer-manager only for specific IP addresses, protect the location as follows: In my example it will either allow users coming from class C subnet 156.151.8.0 or the IP address 67.180.102.252 or will ask for a username/password. It is best to consult the apache documentation about expressions to learn more how to use this directive. The file containing user names and passwords (/opt/SUNWsgdg.balancer_manager_passwords) has been created with the apache htpasswd command to be found in the bin directory of any apache install, like for example on the SGD gateway in /opt/SUNWsgdg/httpd/httpd-$(cat /opt/SUNWsgdg/var/info/apacheversion)/bin

Note: to setup you shell environment to be able to run the standard apache commands use the following command

# APACHE_PATH=/opt/SUNWsgdg/httpd/httpd-$(cat /opt/SUNWsgdg/var/info/apacheversion)
# source $APACHE_PATH/bin/envvars

We can create a password file with

# $APACHE_PATH/bin/htpasswd -cb /opt/SUNWsgdg.balancer_manager_passwords username password# chown sgdgsys:sgdgserv /opt/SUNWsgdg.balancer_manager_passwords

So we can use it in our balancer-manager config block for our AuthType Basic. We are combining client IP restriction with password authentication by using RequireAll

httpd-gateway.conf balancer-manager config

LoadModule env_module modules/mod_env.so # load SetEnvIf module LoadModule setenvif_module modules/mod_setenvif.so # # set Env variable and Header based on the base64 encoded OSGD-Signed-Data header # <If "unbase64(%{http:OSGD-Signed-Data}) =~ /clientip=([^;]*);/">     SetEnvIfExpr "unbase64(req('OSGD-Signed-Data')) =~ /clientip=([^;]*);/" CLIENT_IP=$1     RequestHeader set X-Client-IP %{CLIENT_IP}e     # optionally provide the unencoded data as header as well     RequestHeader set X-OSGD-Unsigned-Data "expr=%{unbase64:OSGD-Signed-Data}" </If> <Location /balancer-manager>     SetHandler balancer-manager     AuthType Basic     AuthName<span class="Apple-converted-space"> </span>"Balancer Manager"     AuthBasicProvider file     AuthUserFile /opt/SUNWsgdg.balancer_manager_passwords     <RequireAll>         <RequireAny>             Require expr "%{env:CLIENT_IP} -ipmatch '156.151.8.0/24'"             Require expr "%{env:CLIENT_IP} == '67.180.102.252'"         </RequireAny>         Require valid-user     </RequireAll> </Location>

After performing these configuration file changes, you can either restart the gateway with the /opt/SUNWsgdg/bin/gateway command or use $APACHE_PATH/bin/apachectl graceful command and access /balancer-manager after entering the proper credentials and coming from the configured IP address.