I'm having an issue locking down the Resin admin pages to users on our VPN /
private network, who will be using the private IPs. Due to our requirement
for PCI compliance, having an unencrypted login publicly available is a
no-no, and after our upgrade to Resin 3.1.x, our security scans are flagging
the admin pages for this requirement. We have the IP constraint in place to
limit access to our VPN users on the private network; loading the following
page from the public network:
http://outsidedomain.com/admin
gives the correct Unauthorized IP Address message
while pulling up:
http://outsidedomain.com/admin/
actually pulls up a version of the admin login page (without the CSS file
being loaded, as that's being correctly flagged as being IP protected I
assume).
Now you can't actually login from the public network (you get the same
Unauthorized IP Address error message if you attempt that), but it's
generally easier to get this fixed and not be accessible at all than fight
with a QSA over a compensating control exception. Our configuration,
essentially taken right out of the docs, is below:
security-constraint
web-resource-collection
url-pattern/*/url-pattern
/web-resource-collection
ip-constraint
allow10.198.5.0/24/allow
/ip-constraint
/security-constraint
I've tried removing slashes, adding wildcards, etc. and still can't get this
to work. Any ideas?
I could also just run the admin pages as it's own virtual host on a
different port that isn't forwarded from the public network, but I want it
to all be the same JVM obviously as I'm looking to monitor the main webapp,
not just itself. Is that possible?
--
View this message in context:
http://www.nabble.com/Problem-with-IP-Constraint-of-Resin-Admin-tp25261802p25261802.html
Sent from the Resin mailing list archive at Nabble.com.
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
