Bug 50188 – limit access to webservices based on IP/network blacklist

Bug 50188 - limit access to webservices based on IP/network blacklist


Summary:	limit access to webservices based on IP/network blacklist

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Apache
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-09-13 06:35 CEST by Daniel Tröder
Modified:	2019-09-22 15:51 CEST (History)
CC List:	2 users (show)

See Also:	27816
What kind of report is it?:	Feature Request
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.171
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Tröder

2019-09-13 06:35:39 CEST

Add a configurable apache directive to limit access to /univention/udm to certain hosts. By default that should only be "localhost".

This is consistent with the Debian policy of starting processes in a safe configuration.

Users that wish to use the API can change the configuration to include their local network or 'all'.

It should be possible to add multiple hosts/networks.

Comment 1 Ingo Steuwer

2019-09-13 08:59:26 CEST

The first implementation is limited to a configurable list of groups that can authenticate.

A preconfigured list of networks isn't easy, as we want the API to be available for all UCS instances and have no reliable way to know all networks those instances might "come from".

I thin we should consider to have a configurable network blacklist, but that can only be empty by default.

Comment 2 Daniel Tröder

2019-09-13 09:52:32 CEST

Ah yes - the API should be reachable by all domain members. So the default should be "open for all".

But adding the _possibility_ to restrict access is important for those systems where the masters webserver is exposed to the internet.
Usually in such a scenario other domain members connect through an internal network (or VPN), which can be whitelisted.

Actually this problem also exists for the UMC.
To circumvent brute force attacks a general rate limiting on certain paths below /univention/ would be useful.
(login, umc, self-service, udm, ..?)

Comment 3 Ingo Steuwer

2019-09-13 10:15:17 CEST

(In reply to Daniel Tröder from comment #2)
[..]
> Actually this problem also exists for the UMC.
> To circumvent brute force attacks a general rate limiting on certain paths
> below /univention/ would be useful.
> (login, umc, self-service, udm, ..?)

I move this to a generic feature request for our apache integration.