Restricting AM REST Administration to Certain IP Addresses Using Apache mod_rewrite Module

salbertelli01 · October 10, 2020, 4:00am

Introduction

There are numerous ways to restrict and protect REST calls by implementing the correct logic in the proxy layer. ForgeRock® Identity Gateway (IG) or an API Gateway can be used to accomplish this type of use case. The approach I will be discussing utilizes basic Apache mod_rewrite rules to only allow ForgeRock® Access Management (AM) REST administration from a specific set of IP addresses.

Prerequisites

A server running Apache HTTP
(Compiling and Installing - Apache HTTP Server Version 2.4)

A running vanilla instance of AM
(Downloads - BackStage)

Enable the module

For reference, my lab environment is running the following:

Two load-balanced (mod_proxy) AM servers (6.5.x)
Apache 2.4.6/CentOS 7

To enable mod_rewrite, navigate to the base configuration file and uncomment the mod_rewrite line if needed.

vi /etc/httpd/conf.modules.d/00-base.conf
LoadModule rewrite_module modules/mod_rewrite.so

Configure rewrite rules

A .htaccess file can be created to modify rewrite rules without using the httpd configuration file. Make sure Apache allows the use of this file:

<Directory “/var/www”>
 AllowOverride All
 # Allow open access:
 Require all granted
</Directory>

The rewrite rules for this exercise are defined as:

<Location /openam652/>
RewriteEngine On
RewriteCond %{HTTP:X-OpenAM-Username} amadmin [NC]
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.7
RewriteRule . - [R=403,L]
</Location>

As part of the above rule/condition, I have included the header X-OpenAM-Username that will block any request containing ‘amadmin’ with a 403 except from IP 192.168.1.7.

Note: You can use the LocationMatch directive for regex matching and to enable case-insensitive mode = (?i).

Result

From IP 192.168.1.10:

curl -X POST -H "X-OpenAM-Username: tuser1" -H "X-OpenAM-Password: Password1" -H "json" -H "Accept-API-Version: resource=2.1" -k http://lb.example.com/openam652/json/realms/root/authenticate
{"tokenId":"Yktxsc3LaDgVhFEuQ1BHxSQV-7s.*AAJTSQACMDIAAlNLABw5aXlMUkxTNDZOOFVPaHNyS1JWTE9nV091Y0U9AAR0eXBlAANDVFMAAlMxAAIwMQ..*","successUrl":"/openam652/console","realm":"/"}
curl -X POST -H "X-OpenAM-Username: amadmin" -H "X-OpenAM-Password: cangetinam" -H "json" -H "Accept-API-Version: resource=2.1" -k http://lb.example.com/openam652/json/realms/root/authenticate
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /openam652/json/realms/root/authenticate
on this server.</p>
</body></html>

From IP 192.168.1.7:

curl -X POST -H "X-OpenAM-Username: amadmin" -H "X-OpenAM-Password: cangetinam" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.1" -k http://lb.example.com/openam652/json/realms/root/authenticate
{"tokenId":"XNPn56PB-wOQ_yoqgPmHTvejl9c.*AAJTSQACMDIAAlNLABxTMVFRSjl4dkR3YzdmWXpLWUg2VlozcTVia2s9AAR0eXBlAANDVFMAAlMxAAIwMQ..*","successUrl":"/openam652/console","realm":"/"}

Conclusion

The Apache mod_rewrite module is a powerful tool. This example can be used as a stepping stone to develop more advanced specific rules depending on the requirement/use case you may have. The key here is to allowlist/denylist appropriately.

For more information on how to control access using this module, visit https://httpd.apache.org/docs/trunk/rewrite/access.html.

Recommended Reads: