Posted on 10-22-2015 09:53 AM
At one of the JNUC sessions, I could swear that a presenter commented that you could restrict access to the web console to specific IP ranges. This would be a good workaround for us to limit access to our 2FA jump host IPs rather than building a limited access JSS for this purpose.
Am I taking crazy pills and made this up, or does anyone know how to configure such access, maybe via Tomcat settings?
Posted on 10-26-2015 10:23 AM
Shameless bump... I am pretty certain this can be done with Tomcat configurations, but everything I've tried just breaks the JSS entirely.
Posted on 10-26-2015 11:15 AM
It seems normal client management interactions and the management console are too closely related.
It's a shame it doesn't just have two ports, one for clients, and one for management.
The only way I've achieved it is to have two tomcat servers configured with load balancing, the client one set as limited access and the management one restricted to specific IPs by firewall rules. It works but is really over complicated.
Posted on 10-26-2015 11:33 AM
Yeah, that is what I am planning to do if needed, but I was hoping to avoid new infrastructure due to the timeline involved. It's probably how this will end up.
Posted on 10-08-2016 08:57 PM
Any update? It seems some people did it. Do we really need to figure this out by ourselves from the logs? ...
Posted on 10-10-2016 01:27 PM
Here is the config JAMF has used for doing IP whitelisting of the GUI/API. We just add this to web.xml of the web app itself (/path/to/Tomcat/webapps/ROOT/WEB-INF/web.xml). The filter defines the “approved” IPs, and the filter-mapping defines the JSPs the filter is applied to. The sample below would restrict GUI/API access to the specified IPs, while still allowing client/MDM communication from anywhere. The main thing to get below is a Regex representation of the IP addresses you wanted to allow. @david.suehring can speak more to this as he is the person who gave this to me and is much smarter than I.
<filter>
<filter-name>Custom-RemoteAddrFilter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>(Regex of Matching IPs)</param-value>
</init-param>
<init-param>
<param-name>denyStatus</param-name>
<param-value>404</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Custom-RemoteAddrFilter</filter-name>
<servlet-name>FrontEndController</servlet-name>
<servlet-name>FrontEndUploadController</servlet-name>
<servlet-name>RestletServlet</servlet-name>
</filter-mapping>
Posted on 01-12-2017 04:36 AM
I use this URL to create IP-rages ipregex.
Then you can use this site to check that your IP is a match just in case regextester.
Posted on 01-04-2018 11:52 AM
Has anyone tested this for Jamf Pro 10.x? It doesn't appear to take based on my experience...
Posted on 03-08-2018 01:16 AM
@grahamfw Did you manage to get this working on Jamf Pro 10.*?
Posted on 03-08-2018 01:18 PM
@andysemak Nope. I had to abandon that for the time being.
Posted on 03-08-2018 01:23 PM
We figured it out in the end.
Need to make the filter mapping look like this
<filter-mapping> <filter-name>Custom-RemoteAddrFilter</filter-name> <servlet-name>FrontEndController</servlet-name> <servlet-name>PresentationLayerServlet</servlet-name> <servlet-name>FrontEndUploadController</servlet-name> <servlet-name>RestletServlet</servlet-name> </filter-mapping>
Note the addition of the PresentationLayerServelt
Posted on 03-08-2018 01:25 PM
@andysemak Awesome! I'll give this a try!
Just curious how you came across that? Got some resident Tomcat experts over there?
Posted on 04-25-2019 07:06 AM
@mike.paul and @andysemak Thanks!
I tried on JSS 10.11.1, I added the following to web.xml and it works!
Here is the web.xml filter reference
https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#Remote_Address_Filter
<!-- Beginning of Remote IP Address Filters -->
<filter>
<filter-name>Custom-RemoteAddrFilter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>127.0.0.1|192.168.101.d+</param-value>
</init-param>
<init-param>
<param-name>denyStatus</param-name>
<param-value>404</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Custom-RemoteAddrFilter</filter-name>
<servlet-name>FrontEndController</servlet-name>
<servlet-name>PresentationLayerServlet</servlet-name>
<servlet-name>FrontEndUploadController</servlet-name>
<servlet-name>RestletServlet</servlet-name>
</filter-mapping>
<!-- End of Remote IP Address Filters -->
Posted on 10-03-2019 06:14 AM
10.13.1 update now restricts the classic api as well if you use the filter, UAPI is unaffected.
Posted on 10-29-2020 04:55 AM
Just updated from 10.23.0 to 10.25.1 and this config is no longer working. I noticed there's a fair amount of change in the web.xml with this upgrade, anyone seeing similar?
Posted on 12-13-2020 02:50 PM
@dave.fisher Not here, we are using 10.26 and still being able to restrict access to the Jamf pro server console with the code above.
Posted on 12-14-2020 05:41 AM
using this way as well
/Tomcat/webapps/ROOT/WEB-INF/web.xml)
Posted on 05-10-2021 12:55 PM
Is this still working in Jamf Pro 10.28? It doesn't seem to do the trick for me anymore
Posted on 07-13-2022 05:31 AM
Just wondering if anyone found a solution...?
Posted on 07-17-2022 06:27 AM
@JevermannNG this what we are currently using to restrict access to our Jamf Pro server consoles based on IP.
Edit the file web.xml file
/usr/local/jss/tomcat/webapps/ROOT/WEB-INF/web.xml
Go to the bottom of the file and insert the following code just above the </web-app> handle.
<!-- Beginning of Remote IP Address Filters -->
<filter>
<filter-name>Custom-RemoteAddrFilter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>< INSERT IP REGEX HERE ></param-value>
</init-param>
<init-param>
<param-name>denyStatus</param-name>
<param-value>404</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Custom-RemoteAddrFilter</filter-name>
<servlet-name>FrontEndController</servlet-name>
<servlet-name>PresentationLayerServlet</servlet-name>
<servlet-name>FrontEndUploadController</servlet-name>
<!-- servlet-name>RestletServlet</servlet-name -->
</filter-mapping>
<!-- End of Remote IP Address Filters -->
Look for the section <INSERT IP REGEX HERE> and enter all IP addresses that you want to allow access to the console. It must be in the form of a regex separated by a pipe (|). e.g. ^127\.0\.0\.1$|^192\.168\.1\.10$
Posted on 08-01-2022 01:06 AM
@Phantom5 Thanks al lot! I will forward the info to our Jamf Pro Hosting Service Provider... :-)
Posted on 01-17-2023 12:05 PM
Hey @Phantom5, do you know if your amendment will work with url patterns in it as well. like
Posted on 01-17-2023 03:00 PM
Yes, API calls are also using the HTTPS protocol to communicate with the JSS so no problem there. Almost all communication with the JSS is based on the HTTPS protocol, so redirecting a message on port 443 to port 8443 would make not difference.
a month ago
Hi all, I'm trying to configure this. Can anyone tell me if Phantom5's code is still valid for JAMF 11.5? I've tried several different regular expressions and I get a 404 block every time.