Restrict JSS console access by IP range

alexjdale
Valued Contributor III

At one of the JNUC sessions, I could swear that a presenter commented that you could restrict access to the web console to specific IP ranges. This would be a good workaround for us to limit access to our 2FA jump host IPs rather than building a limited access JSS for this purpose.

Am I taking crazy pills and made this up, or does anyone know how to configure such access, maybe via Tomcat settings?

22 REPLIES 22

alexjdale
Valued Contributor III

Shameless bump... I am pretty certain this can be done with Tomcat configurations, but everything I've tried just breaks the JSS entirely.

davidacland
Honored Contributor II

It seems normal client management interactions and the management console are too closely related.

It's a shame it doesn't just have two ports, one for clients, and one for management.

The only way I've achieved it is to have two tomcat servers configured with load balancing, the client one set as limited access and the management one restricted to specific IPs by firewall rules. It works but is really over complicated.

alexjdale
Valued Contributor III

Yeah, that is what I am planning to do if needed, but I was hoping to avoid new infrastructure due to the timeline involved. It's probably how this will end up.

__Milton__
New Contributor

Any update? It seems some people did it. Do we really need to figure this out by ourselves from the logs? ...

mike_paul
Contributor III
Contributor III

Here is the config JAMF has used for doing IP whitelisting of the GUI/API. We just add this to web.xml of the web app itself (/path/to/Tomcat/webapps/ROOT/WEB-INF/web.xml). The filter defines the “approved” IPs, and the filter-mapping defines the JSPs the filter is applied to. The sample below would restrict GUI/API access to the specified IPs, while still allowing client/MDM communication from anywhere. The main thing to get below is a Regex representation of the IP addresses you wanted to allow. @david.suehring can speak more to this as he is the person who gave this to me and is much smarter than I.

<filter>
 <filter-name>Custom-RemoteAddrFilter</filter-name>
 <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
 <init-param>
     <param-name>allow</param-name>
     <param-value>(Regex of Matching IPs)</param-value>
 </init-param>
 <init-param>
     <param-name>denyStatus</param-name>
     <param-value>404</param-value>
 </init-param>
</filter>
<filter-mapping>
    <filter-name>Custom-RemoteAddrFilter</filter-name>
    <servlet-name>FrontEndController</servlet-name>
    <servlet-name>FrontEndUploadController</servlet-name>
    <servlet-name>RestletServlet</servlet-name>
</filter-mapping>

aulin
New Contributor

@mike.paul

I use this URL to create IP-rages ipregex.
Then you can use this site to check that your IP is a match just in case regextester.

grahamfw
New Contributor III

Has anyone tested this for Jamf Pro 10.x? It doesn't appear to take based on my experience...

andysemak
Contributor

@grahamfw Did you manage to get this working on Jamf Pro 10.*?

grahamfw
New Contributor III

@andysemak Nope. I had to abandon that for the time being.

andysemak
Contributor

@grahamfw

We figured it out in the end.

Need to make the filter mapping look like this

<filter-mapping> <filter-name>Custom-RemoteAddrFilter</filter-name> <servlet-name>FrontEndController</servlet-name> <servlet-name>PresentationLayerServlet</servlet-name> <servlet-name>FrontEndUploadController</servlet-name> <servlet-name>RestletServlet</servlet-name> </filter-mapping>

Note the addition of the PresentationLayerServelt

grahamfw
New Contributor III

@andysemak Awesome! I'll give this a try!

Just curious how you came across that? Got some resident Tomcat experts over there?

Steven_Xu
Contributor

@mike.paul and @andysemak Thanks!
I tried on JSS 10.11.1, I added the following to web.xml and it works!
Here is the web.xml filter reference
https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#Remote_Address_Filter

<!-- Beginning of Remote IP Address Filters -->
  <filter>
  <filter-name>Custom-RemoteAddrFilter</filter-name>
  <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
  <init-param>
     <param-name>allow</param-name>
     <param-value>127.0.0.1|192.168.101.d+</param-value>
  </init-param>
  <init-param>
     <param-name>denyStatus</param-name>
     <param-value>404</param-value>
  </init-param>
 </filter>
 <filter-mapping>
     <filter-name>Custom-RemoteAddrFilter</filter-name>
     <servlet-name>FrontEndController</servlet-name>
     <servlet-name>PresentationLayerServlet</servlet-name>
     <servlet-name>FrontEndUploadController</servlet-name>
     <servlet-name>RestletServlet</servlet-name>
 </filter-mapping>
 <!-- End of Remote IP Address Filters -->

vaksai
New Contributor II

10.13.1 update now restricts the classic api as well if you use the filter, UAPI is unaffected.

dave_fisher
New Contributor

Just updated from 10.23.0 to 10.25.1 and this config is no longer working. I noticed there's a fair amount of change in the web.xml with this upgrade, anyone seeing similar?

Phantom5
Contributor II

@dave.fisher Not here, we are using 10.26 and still being able to restrict access to the Jamf pro server console with the code above.

kai_wang1
New Contributor III

using this way as well
/Tomcat/webapps/ROOT/WEB-INF/web.xml)

Phantom5
Contributor II

Is this still working in Jamf Pro 10.28? It doesn't seem to do the trick for me anymore

JevermannNG
Contributor II

Just wondering if anyone found a solution...?

 

Phantom5
Contributor II

@JevermannNG this what we are currently using to restrict access to our Jamf Pro server consoles based on IP.

Edit the file web.xml file 

/usr/local/jss/tomcat/webapps/ROOT/WEB-INF/web.xml

Go to the bottom of the file and insert the following code just above the </web-app> handle.

 

<!-- Beginning of Remote IP Address Filters -->
<filter>
<filter-name>Custom-RemoteAddrFilter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>< INSERT IP REGEX HERE ></param-value>
</init-param>
<init-param>
<param-name>denyStatus</param-name>
<param-value>404</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Custom-RemoteAddrFilter</filter-name>
<servlet-name>FrontEndController</servlet-name>
<servlet-name>PresentationLayerServlet</servlet-name>
<servlet-name>FrontEndUploadController</servlet-name>
<!-- servlet-name>RestletServlet</servlet-name -->
</filter-mapping>
<!-- End of Remote IP Address Filters -->

 

 

Look for the section <INSERT IP REGEX HERE> and enter all IP addresses that you want to allow access to the console. It must be in the form of a regex separated by a pipe (|). e.g. ^127\.0\.0\.1$|^192\.168\.1\.10$

@Phantom5  Thanks al lot! I will forward the info to our Jamf Pro Hosting Service Provider... :-)

Axellink
New Contributor II

Hey @Phantom5, do you know if your amendment will work with url patterns in it as well.  like 

<url-pattern>/api/*</url-pattern> for example?  

falabella_cst
New Contributor II

Yes, API calls are also using the HTTPS protocol to communicate with the JSS so no problem there. Almost all communication with the JSS is based on the HTTPS protocol, so redirecting a message on port 443 to port 8443 would make not difference.