Hi Aaron, > Anyone know how to limit ip addresses *in subnet notation* that are able to communicate with the rest api ?
This does not seem to be possible with "allowed-sources". IPv4 addresses specified under "allowed-sources" are used in /mfs/var/etc/lighttpd.conf configuration file in regular expression not match(!~) which does not support subnet mask. In theory, one could specify the network as regex, but this is not supported by Junos XML Schema which requires the value of "allowed-sources" to be ipv4addr( https://www.juniper.net/documentation/en_US/junos-sdk/10.2/DDLRefGuide/op_type_ip_addresses.html), i.e the only value "allowed-sources" accepts is an IPv4 address. Can't you use RE firewall filters? In addition, at least in Junos 18.2R1.9 the filtering implementation based on the client IPv4 address is faulty. For example, if one allows following two addresses: user> show configuration system services rest control allowed-sources [ 10.5.5.123 10.5.5.25 ]; user> .. then this translates to lighttpd conditional configuration below: root@:/var/home/user # head -4 /mfs/var/etc/lighttpd.conf server.document-root = "/www/null" $HTTP["remoteip"] !~ "10.5.5.25|10.5.5.123" { url.access-deny = ( "" ) } root@:/var/home/user # However, this doesn't permit just 10.5.5.123 and 10.5.5.25, but also for example 10.5.5.250 or 10.5.5.254. WBR, Martin _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
