Univention Bugzilla – Bug 50188
limit access to webservices based on IP/network blacklist
Last modified: 2019-09-22 15:51:13 CEST
Add a configurable apache directive to limit access to /univention/udm to certain hosts. By default that should only be "localhost". This is consistent with the Debian policy of starting processes in a safe configuration. Users that wish to use the API can change the configuration to include their local network or 'all'. It should be possible to add multiple hosts/networks.
The first implementation is limited to a configurable list of groups that can authenticate. A preconfigured list of networks isn't easy, as we want the API to be available for all UCS instances and have no reliable way to know all networks those instances might "come from". I thin we should consider to have a configurable network blacklist, but that can only be empty by default.
Ah yes - the API should be reachable by all domain members. So the default should be "open for all". But adding the _possibility_ to restrict access is important for those systems where the masters webserver is exposed to the internet. Usually in such a scenario other domain members connect through an internal network (or VPN), which can be whitelisted. Actually this problem also exists for the UMC. To circumvent brute force attacks a general rate limiting on certain paths below /univention/ would be useful. (login, umc, self-service, udm, ..?)
(In reply to Daniel Tröder from comment #2) [..] > Actually this problem also exists for the UMC. > To circumvent brute force attacks a general rate limiting on certain paths > below /univention/ would be useful. > (login, umc, self-service, udm, ..?) I move this to a generic feature request for our apache integration.