- Jamf Nation Community
- Products
- Jamf Pro
- JAMF Pro in DMZ - Remove API documentation.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-16-2024 07:23 PM
Hi Guys,
I've been following the documentation and training videos for setting up a limited access DMZ deployment of Jamf Pro, which for the most part has been easy to follow. I've updated web.xml to block access to the api servlet, but wanted to remove the documentation as well. The relevant step in that training instructs you to remove the API directory from the web root to stop the API documentation being accessible... only there is no API directory on my deployment. If I access: https://jamfproserver:8443/api I'm presented with a page that allows me to choose between "classic API" and "JAMF Pro API" pages. I've removed the classicapi directory, so it 404s, but the JAMF Pro API link takes me to active documentation.
I assume this folder has simply been moved and the training / documentation is lagging behind, in which case I'd love to know where it's now located. Any help appreciated!
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-17-2024 07:10 AM
Here are my notes on how I disabled it. But you had to perform these steps EVERY update. It became much easier to put a load balancer or proxy in front of it.
On JSS versions later than 10.22:
On the JSS server:
(Linux) Go to /usr/local/jss/tomcat/webapps/ROOT/WEB-INF/
(Windows) Go to c:\program files\JSS\Tomcat\webapps\ROOT\WEB-INF\
Open the web.xml in a text editor (vi for Linux, notepad++ for Windows). The second line in the file will look similar to this:
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
Add a new line after the above line and insert the text below:
<filter>
<filter-name>API Restrictions Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>deny</param-name>
<param-value>.*</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>API Restrictions Filter</filter-name>
<url-pattern>/api/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>UAPI Restrictions Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>deny</param-name>
<param-value>.*</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>UAPI Restrictions Filter</filter-name>
<url-pattern>/uapi/doc/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>UAPI-RemoteAddrFilter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
</init-param>
<init-param>
<param-name>denyStatus</param-name>
<param-value>404</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>UAPI-RemoteAddrFilter</filter-name>
<url-pattern>/uapi/doc/*</url-pattern>
</filter-mapping>
Find filter-name AccessFilter-Other and add - usually the second "AccessFilter-Other" - the area looks similar to this.
<servlet-name>EnrollmentController</servlet-name>
<servlet-name>RestletServlet</servlet-name>
<servlet-name>SpringUAPIDispatcher</servlet-name>
<servlet-name>default</servlet-name>
<servlet-name>PerformanceAutomationTriggers</servlet-name>
Once the web.xml file is updated with the filter settings, save it, close the editor.
Then sudo mv /usr/local/jss/tomcat/webapps/ROOT/classicapi /usr/local/jss/tomcat/webapps/ROOT/.apigone
restart tomcat.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-17-2024 07:10 AM
Here are my notes on how I disabled it. But you had to perform these steps EVERY update. It became much easier to put a load balancer or proxy in front of it.
On JSS versions later than 10.22:
On the JSS server:
(Linux) Go to /usr/local/jss/tomcat/webapps/ROOT/WEB-INF/
(Windows) Go to c:\program files\JSS\Tomcat\webapps\ROOT\WEB-INF\
Open the web.xml in a text editor (vi for Linux, notepad++ for Windows). The second line in the file will look similar to this:
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
Add a new line after the above line and insert the text below:
<filter>
<filter-name>API Restrictions Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>deny</param-name>
<param-value>.*</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>API Restrictions Filter</filter-name>
<url-pattern>/api/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>UAPI Restrictions Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>deny</param-name>
<param-value>.*</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>UAPI Restrictions Filter</filter-name>
<url-pattern>/uapi/doc/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>UAPI-RemoteAddrFilter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
</init-param>
<init-param>
<param-name>denyStatus</param-name>
<param-value>404</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>UAPI-RemoteAddrFilter</filter-name>
<url-pattern>/uapi/doc/*</url-pattern>
</filter-mapping>
Find filter-name AccessFilter-Other and add - usually the second "AccessFilter-Other" - the area looks similar to this.
<servlet-name>EnrollmentController</servlet-name>
<servlet-name>RestletServlet</servlet-name>
<servlet-name>SpringUAPIDispatcher</servlet-name>
<servlet-name>default</servlet-name>
<servlet-name>PerformanceAutomationTriggers</servlet-name>
Once the web.xml file is updated with the filter settings, save it, close the editor.
Then sudo mv /usr/local/jss/tomcat/webapps/ROOT/classicapi /usr/local/jss/tomcat/webapps/ROOT/.apigone
restart tomcat.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-17-2024 07:11 AM
This causes enrollment customization to NOT work when coming from outside because it requires access to a non public API jamf uses.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-17-2024 04:14 PM
Thanks Boberito, I'll give this a go. Appreciate your help!
