User Tools

Site Tools


Sidebar

Announcement

Ahsay Backup Software

Backup Set Types

Supported Storage

Features in OBM / ACB

Features in CBS

Brand and Customize

License

Documentation

Performance Testing

FAQs and Known Issues

Can't Find What You Need?

public:5354_how_to_setup_ip_filter_to_restrict_access_to_cbs_web_console

FAQ: How to setup IP filter to restrict access to AhsayCBS system and user web console?

Article ID: 5354
Reviewed: 27/09/2018

Product Version:
AhsayCBS: 7.3.0.0 or above
OS: All platforms

Description

This article contain instruction on how to setup IP filter to restrict access to your AhsayCBS system and user web console.

Contents

To setup an IP filter to restrict access to your AhsayCBS system and user web console, you can do so by logging into the AhsayCBS system web console:

  1. Select System Settings > Advanced > Runtime Options > IP Allowed


  2. Click on the existing IP Allowed range to edit the existing filter, or click Create to create a new IP Allowed range.

  3. Enter the From and To IP addresses, then click OK

  4. Click Save.
Once the IP filter is configured and saved, the following error will be displayed, when a system or backup user attempts to login to the AhsayCBS system or user web console from an IP address outside of the allowed range:



Note:
This will restrict access to both the AhsayCBS system and user web console.


To restrict access to the AhsayCBS system web console (to pages with URL containing */system) only:

  1. Browse to the following path on the AhsayCBS server:

    %CBS_Installation_Home%/webapps/cbs/WEB-INF

  2. Edit the web.xml file with a text editor.

    Important: Make a copy of the web.xml file as backup, before making any change to the web.xml file. Incorrectly editing the file may lead to server failure.

  3. Add your filter after the encodingFilter filter as shown below:

    web.xml
        …
        …
                <filter>
                            <filter-name>encodingFilter</filter-name>
                            <filter-class>com.ahsay.obs.www.EncodingFilter</filter-class>
                            <init-param>
                                        <param-name>encoding</param-name>
                                        <param-value>UTF8</param-value>
                            </init-param>
                            <init-param>
                                        <param-name>forceEncoding</param-name>
                                        <param-value>true</param-value>
                            </init-param>
                </filter>
                <filter-mapping>
                            <filter-name>encodingFilter</filter-name>
                            <url-pattern>/*</url-pattern>
                </filter-mapping>
                *** Add your filter here ***
                <filter>
                            <filter-name>ApiAccess</filter-name>
                            <filter-class>com.ahsay.obs.www.IPFilter</filter-class>
                            <init-param>
  4. The following is a sample filter to allow only the host IP (e.g. localhost) to access all system page with url pattern */system, for example:

    System Settings > Basic
    https://backup_server/cbs/system/ShowConfiguration.do

    Monitoring > Dashboard
    https://backup_server/cbs/system/ShowSystem.do

    web.xml
        …
        …
                <filter>
                            <filter-name>encodingFilter</filter-name>
                            <filter-class>com.ahsay.obs.www.EncodingFilter</filter-class>
                            <init-param>
                                        <param-name>encoding</param-name>
                                        <param-value>UTF8</param-value>
                            </init-param>
                            <init-param>
                                        <param-name>forceEncoding</param-name>
                                        <param-value>true</param-value>
                            </init-param>
                </filter>
                <filter-mapping>
                            <filter-name>encodingFilter</filter-name>
                            <url-pattern>/*</url-pattern>
                </filter-mapping>
                <filter>
                            <filter-name>SystemAccess</filter-name>
                            <filter-class>com.ahsay.obs.www.IPFilter</filter-class>
                            <init-param>
                                        <param-name>Range1</param-name>
                                        <param-value>localhost</param-value>
                            </init-param>
                </filter>
                <filter-mapping>
                            <filter-name>SystemAccess</filter-name>
                            <url-pattern>/system/*</url-pattern>
                </filter-mapping>
                <filter>
                            <filter-name>ApiAccess</filter-name>
                            <filter-class>com.ahsay.obs.www.IPFilter</filter-class>
                            <init-param>
  5. You can setup multiple IP range, for example:

    web.xml
        …
        …
                <filter>
                            <filter-name>encodingFilter</filter-name>
                            <filter-class>com.ahsay.obs.www.EncodingFilter</filter-class>
                            <init-param>
                                        <param-name>encoding</param-name>
                                        <param-value>UTF8</param-value>
                            </init-param>
                            <init-param>
                                        <param-name>forceEncoding</param-name>
                                        <param-value>true</param-value>
                            </init-param>
                </filter>
                <filter-mapping>
                            <filter-name>encodingFilter</filter-name>
                            <url-pattern>/*</url-pattern>
                </filter-mapping>
                <filter>
                            <filter-name>SystemAccess</filter-name>
                            <filter-class>com.ahsay.obs.www.IPFilter</filter-class>
                            <init-param>
                                        <param-name>Range1</param-name>
                                        <param-value>localhost</param-value>
                            </init-param>
                            <init-param>
                                        <param-name>Range2</param-name>
                                        <param-value>0.0.0.0-192.168.25.125</param-value>
                            </init-param>
                </filter>
                <filter-mapping>
                            <filter-name>SystemAccess</filter-name>
                            <url-pattern>/system/*</url-pattern>
                </filter-mapping>
                <filter>
                            <filter-name>ApiAccess</filter-name>
                            <filter-class>com.ahsay.obs.www.IPFilter</filter-class>
                            <init-param>
  6. Save the changes then restart the AhsayCBS service.
When a user attempts to access the AhsayCBS system web console, to any page with url pattern */system from an IP outside of the allowed range, the following error will be displayed:



Note:
This will only restrict access to the AhsayCBS system web console, to pages with URL containing */system. Access to other pages after login, such as Backup / Restore > Users, Groups & Policies will still be accessible.

This will not restrict access to the AhsayCBS user web console.


To restrict access to both the AhsayCBS system and user web console, including the login page (e.g. restrict all access, hiding the web console instead of displaying an error after a login attempt):

  1. Browse to the following path on the AhsayCBS server:

    %CBS_Installation_Home%/webapps/cbs/WEB-INF

  2. Edit the web.xml file with a text editor.

    Important: Make a copy of the web.xml file as backup, before making any change to the web.xml file. Incorrectly editing the file may lead to server failure.

  3. Add your filter after the encodingFilter filter as shown below:

    web.xml
        …
        …
                <filter>
                            <filter-name>encodingFilter</filter-name>
                            <filter-class>com.ahsay.obs.www.EncodingFilter</filter-class>
                            <init-param>
                                        <param-name>encoding</param-name>
                                        <param-value>UTF8</param-value>
                            </init-param>
                            <init-param>
                                        <param-name>forceEncoding</param-name>
                                        <param-value>true</param-value>
                            </init-param>
                </filter>
                <filter-mapping>
                            <filter-name>encodingFilter</filter-name>
                            <url-pattern>/*</url-pattern>
                </filter-mapping>
                *** Add your filter here ***
                <filter>
                            <filter-name>ApiAccess</filter-name>
                            <filter-class>com.ahsay.obs.www.IPFilter</filter-class>
                            <init-param>
  4. The following is a sample filter to allow only the host IP (e.g. localhost) to access the system and user web console:

    web.xml
        …
        …
                <filter>
                            <filter-name>encodingFilter</filter-name>
                            <filter-class>com.ahsay.obs.www.EncodingFilter</filter-class>
                            <init-param>
                                        <param-name>encoding</param-name>
                                        <param-value>UTF8</param-value>
                            </init-param>
                            <init-param>
                                        <param-name>forceEncoding</param-name>
                                        <param-value>true</param-value>
                            </init-param>
                </filter>
                <filter-mapping>
                            <filter-name>encodingFilter</filter-name>
                            <url-pattern>/*</url-pattern>
                </filter-mapping>
                <filter>
                            <filter-name>AllAccess</filter-name>
                            <filter-class>com.ahsay.obs.www.IPFilter</filter-class>
                            <init-param>
                                        <param-name>Range1</param-name>
                                        <param-value>localhost</param-value>
                            </init-param>
                </filter>
                <filter-mapping>
                            <filter-name>AllAccess</filter-name>
                            <url-pattern>/*</url-pattern>
                </filter-mapping>
                <filter>
                            <filter-name>ApiAccess</filter-name>
                            <filter-class>com.ahsay.obs.www.IPFilter</filter-class>
                            <init-param>
  5. Save the changes then restart the AhsayCBS service.
When a user attempts to access the AhsayCBS system or user web console from an IP outside of the allowed range, the following error will be displayed:



Note:
This will only restrict access to the AhsayCBS system web console, to pages with URL containing */system. Access to other pages after login, such as Backup / Restore > Users, Groups & Policies will still be accessible.

This will restrict access to both the AhsayCBS system and user web console.

Keywords

ip, addy, address, ipaddress, filter, filtering, restrict, restriction, limit, limiting, console, access, accessing, obm, ahsayobm, acb, ahsayacb, ahsaycbs, cbs

public/5354_how_to_setup_ip_filter_to_restrict_access_to_cbs_web_console.txt · Last modified: 2018/09/27 17:08 by edward.chan