Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 2 subscribers
  • Views 2460 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bug in Access control in site-path-routing?

apijnappels

Today I was configuring a virtual webserver to be only accessible from certain IP-addresses.

This can be done using Access Control under Site-path-routing. At first I was amazed that when entering the allowed IP in Allowed networks that I did get an access denied and could not open the website. Upon checking in the WAF log, I found a difference that also really makes the difference:

2016:11:21-13:29:27 utm-2 reverseproxy: id="0299" srcip="82.143.xxx.yyy" localip="83.167.aaa.bbb" size="44131" user="-" host="82.143.xxx.yyy" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="34268" url="/bundles/scripts" server="my-server.com" referer="https://my-server.com" cookie="-" set-cookie="-"

 

The above is with Access control switched off. host= translates to the IP-address of the client accessing the page.

When configuring Access control on the IP that should have access, I get the following log entry:

2016:11:21-13:26:38 utm-2 reverseproxy: id="0299" srcip="82.143.xxx.yyy" localip="83.167.aaa.bbb" size="209" user="-" host="reverse-lookup-hostname-of-ipaddress" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="1121" url="/" server="my-server.com" referer="-" cookie="_ga=GA1.2.91355294.1436263771" set-cookie="-"

 

host= translates to the reverse name lookup of the IP-address of the client accessing the page. Problem seems to be that when enabling Access control, there seems to be a reverse IP-lookup of the client connecting to the virtual server. While this is still the same IP-address, it doesn't allow access. When I then configure a new DNS-host with the corresponding name and use this in the Allowed networks, the client does get access. (both network definitions have the same IP-address).

I then tried to create a new network definition using the IP-address of the client with a /32 subnet mask. Then the address will again translate to just the IP-address and Access control works as expected.

While UTM help does call it Allowed Networks it does also accept a host definition using just an IP-address in stead of a /32 network definition, but in that case it reverse-lookups the IP-address to it's hostname and will deny access to the site. To me this seems to be a bug or am I wrong?



This thread was automatically locked due to age.
Parents Reply Children
No Data
Unfiltered HTML