Restrict JSS console access by IP range

Shameless bump... I am pretty certain this can be done with Tomcat configurations, but everything I've tried just breaks the JSS entirely.

It seems normal client management interactions and the management console are too closely related.

It's a shame it doesn't just have two ports, one for clients, and one for management.

The only way I've achieved it is to have two tomcat servers configured with load balancing, the client one set as limited access and the management one restricted to specific IPs by firewall rules. It works but is really over complicated.

Yeah, that is what I am planning to do if needed, but I was hoping to avoid new infrastructure due to the timeline involved. It's probably how this will end up.

Any update? It seems some people did it. Do we really need to figure this out by ourselves from the logs? ...

Here is the config JAMF has used for doing IP whitelisting of the GUI/API. We just add this to web.xml of the web app itself (/path/to/Tomcat/webapps/ROOT/WEB-INF/web.xml). The filter defines the “approved” IPs, and the filter-mapping defines the JSPs the filter is applied to. The sample below would restrict GUI/API access to the specified IPs, while still allowing client/MDM communication from anywhere. The main thing to get below is a Regex representation of the IP addresses you wanted to allow. @david.suehring can speak more to this as he is the person who gave this to me and is much smarter than I.

<filter>
 <filter-name>Custom-RemoteAddrFilter</filter-name>
 <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
 <init-param>
     <param-name>allow</param-name>
     <param-value>(Regex of Matching IPs)</param-value>
 </init-param>
 <init-param>
     <param-name>denyStatus</param-name>
     <param-value>404</param-value>
 </init-param>
</filter>
<filter-mapping>
    <filter-name>Custom-RemoteAddrFilter</filter-name>
    <servlet-name>FrontEndController</servlet-name>
    <servlet-name>FrontEndUploadController</servlet-name>
    <servlet-name>RestletServlet</servlet-name>
</filter-mapping>

@mike.paul

I use this URL to create IP-rages ipregex.
Then you can use this site to check that your IP is a match just in case regextester.

Has anyone tested this for Jamf Pro 10.x? It doesn't appear to take based on my experience...

@grahamfw Did you manage to get this working on Jamf Pro 10.*?

@andysemak Nope. I had to abandon that for the time being.

@grahamfw

We figured it out in the end.

Need to make the filter mapping look like this

<filter-mapping> <filter-name>Custom-RemoteAddrFilter</filter-name> <servlet-name>FrontEndController</servlet-name> <servlet-name>PresentationLayerServlet</servlet-name> <servlet-name>FrontEndUploadController</servlet-name> <servlet-name>RestletServlet</servlet-name> </filter-mapping>

Note the addition of the PresentationLayerServelt

@andysemak Awesome! I'll give this a try!

Just curious how you came across that? Got some resident Tomcat experts over there?

@mike.paul and @andysemak Thanks!
I tried on JSS 10.11.1, I added the following to web.xml and it works!
Here is the web.xml filter reference
https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#Remote_Address_Filter

<!-- Beginning of Remote IP Address Filters -->
  <filter>
  <filter-name>Custom-RemoteAddrFilter</filter-name>
  <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
  <init-param>
     <param-name>allow</param-name>
     <param-value>127.0.0.1|192.168.101.d+</param-value>
  </init-param>
  <init-param>
     <param-name>denyStatus</param-name>
     <param-value>404</param-value>
  </init-param>
 </filter>
 <filter-mapping>
     <filter-name>Custom-RemoteAddrFilter</filter-name>
     <servlet-name>FrontEndController</servlet-name>
     <servlet-name>PresentationLayerServlet</servlet-name>
     <servlet-name>FrontEndUploadController</servlet-name>
     <servlet-name>RestletServlet</servlet-name>
 </filter-mapping>
 <!-- End of Remote IP Address Filters -->

10.13.1 update now restricts the classic api as well if you use the filter, UAPI is unaffected.

Just updated from 10.23.0 to 10.25.1 and this config is no longer working. I noticed there's a fair amount of change in the web.xml with this upgrade, anyone seeing similar?

@dave.fisher Not here, we are using 10.26 and still being able to restrict access to the Jamf pro server console with the code above.

using this way as well
/Tomcat/webapps/ROOT/WEB-INF/web.xml)

Is this still working in Jamf Pro 10.28? It doesn't seem to do the trick for me anymore

Just wondering if anyone found a solution...?

@JevermannNG this what we are currently using to restrict access to our Jamf Pro server consoles based on IP.

Edit the file web.xml file 

/usr/local/jss/tomcat/webapps/ROOT/WEB-INF/web.xml

Go to the bottom of the file and insert the following code just above the </web-app> handle.

Look for the section <INSERT IP REGEX HERE> and enter all IP addresses that you want to allow access to the console. It must be in the form of a regex separated by a pipe (|). e.g. ^127\\.0\\.0\\.1$|^192\\.168\\.1\\.10$

/usr/local/jss/tomcat/webapps/ROOT/WEB-INF/web.xml

@Phantom5  Thanks al lot! I will forward the info to our Jamf Pro Hosting Service Provider... :-)

Hey @Phantom5, do you know if your amendment will work with url patterns in it as well.  like 

Yes, API calls are also using the HTTPS protocol to communicate with the JSS so no problem there. Almost all communication with the JSS is based on the HTTPS protocol, so redirecting a message on port 443 to port 8443 would make not difference.

Hi all, I'm trying to configure this. Can anyone tell me if Phantom5's code is still valid for JAMF 11.5? I've tried several different regular expressions and I get a 404 block every time.