Pivotal Knowledge Base

Follow

How do I restrict access to my application by IP address?

Purpose

You would like to restrict the access to your application to a set of IP addresses.  Alternatively, you would like to block a certain set of IP addresses from accessing your application.

Instructions

At the moment, when you deploy an application to PWS the application is accessible to anyone on the Internet.  Furthermore the PWS platform does not provide any access restriction mechanisms.  This means if you would like to restrict access to your application, you would need to do it in your application.

Some languages, runtimes and / or frameworks offer support to white or black list IP addresses, like Spring Security.  For languages or runtimes with no automatic support, you can often implement similar behavior with a "middleware", "interceptor" or "filter".  These can be used to inspect incoming requests and apply logic that runs prior to the request reaching your application.  The injected logic would simply need to look at the client's IP address and determine if it is acceptable.  The client's IP address can generally be found in the X-FORWARDED-BY header, but some build packs like the Java & PHP build pack will modify the headers so that you would look in the more traditional REMOTE_ADDR header.

Impact / Risks

While rejecting certain requests based on the client's IP address can be effective, it should generally be used in conjunction with other forms of security, like a user authentication and authorization system.

Additional Information

For applications that run in a container or web server, it's generally possible to instruct the server to reject connections from certain IP addresses.  Here are some examples of this.

Apache Tomcat

Edit the WEB-INF/web.xml file in your application.  Add the following.

    <filter>
      <filter-name>Remote Address Filter</filter-name>
      <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
      <init-param>
        <param-name>allow</param-name>
        <param-value><!-- insert your ip list / regex here --></param-value>
      </init-param>
    </filter>
    <filter-mapping>
      <filter-name>Remote Address Filter</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>

 This will instruct the filter to block all IP addresses except the ones you include.  The filter also supports blocking only the IP addresses listed.  More on that filter can be found here.

Spring Boot

For Spring Boot applications that run with the embedded Apache Tomcat container, which is the default behavior, you can use the same filter described in the Apache Tomcat section above.  It's just configured in code instead of XML.  The Spring Boot docs explain how to enable a Servlet Filter.  You can use these instructions to enable the RemoteAddrFilter.

Apache HTTPD & PHP

If you have a PHP application that is running behind Apache HTTPD, the default for the PHP build pack, you can use Apache HTTPD to restrict access to your application.  The easiest way to do this is to include a .htaccess file with your application.  The build pack configures Apache HTTPD to look for these files.  Here's an example that would restrict access to the folder where it's placed.

Require ip 23.28.250.16

More on the syntax of this can be found in the Apache HTTPD Docs.

Nginx & PHP

If you have a PHP application that is running behind Nginx, also supported by the PHP build pack, you can use Nginx to restrict access to your application.  This can be done by creating the file .bp-config/nginx/http-defaults.conf at the root of your application.  This will override the build pack's default configuration and apply the additional IP based restrictions

    # default configuration from the build pack
    include            mime.types;
    default_type       application/octet-stream;
    sendfile           on;
    keepalive_timeout  65;
    gzip               on;
    port_in_redirect   off;
    root               @{HOME}/#{WEBDIR};
    index              index.php index.html;
    server_tokens      off;

    # additional configuration to restrict by ip address (checked in order)
    allow <ip-to-allow>;    
    deny all; 

 More on how Nginx restricts IP addresses can be found in the docs here.

Nginx & Static Files

The static file build pack also uses Nginx to serve up files, so you can also use Nginx's ability to restrict IP addresses with this build pack.  The syntax is the same, although the build pack has a different way of configuring Nginx.  See the build pack docs for more on that.

Comments

Powered by Zendesk