Mailing List Archive

rest api - limit ip sources
Anyone know how to limit ip addresses *in subnet notation* that are able to
communicate with the rest api ?





rest api allowed-source - how to use subnet notation





{master:0}[edit]

agould@eng-lab-5048-2# set system services rest control allowed-sources
"123.123.0.64/26"

^

invalid input at '/26' in ip address '123.123.0.64/26' at '123.123.0.64/26'



{master:0}[edit]

agould@eng-lab-5048-2# set system services rest control allowed-sources
[123.123.0.64 /26]

error: invalid ip address or hostname: /26: /26



{master:0}[edit]

agould@eng-lab-5048-2# set system services rest control allowed-sources
[123.123.0.64/26]

error: invalid input at '/26' in ip address '123.123.0.64/26':
123.123.0.64/26



*** this works, but it's only one IP address, and I need to allow many more.



{master:0}[edit]

agould@eng-lab-5048-2# set system services rest control allowed-sources
123.123.0.80



{master:0}[edit]







-Aaron

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: rest api - limit ip sources [ In reply to ]
Hi Aaron,

> Anyone know how to limit ip addresses *in subnet notation* that are able
to communicate with the rest api ?

This does not seem to be possible with "allowed-sources". IPv4 addresses
specified under "allowed-sources" are used in /mfs/var/etc/lighttpd.conf
configuration file in regular expression not match(!~) which does not
support subnet mask. In theory, one could specify the network as regex, but
this is not supported by Junos XML Schema which requires the value of
"allowed-sources" to be ipv4addr(
https://www.juniper.net/documentation/en_US/junos-sdk/10.2/DDLRefGuide/op_type_ip_addresses.html),
i.e the only value "allowed-sources" accepts is an IPv4 address.

Can't you use RE firewall filters?

In addition, at least in Junos 18.2R1.9 the filtering implementation based
on the client IPv4 address is faulty. For example, if one allows following
two addresses:

user> show configuration system services rest control
allowed-sources [ 10.5.5.123 10.5.5.25 ];

user>

.. then this translates to lighttpd conditional configuration below:

root@:/var/home/user # head -4 /mfs/var/etc/lighttpd.conf
server.document-root = "/www/null"
$HTTP["remoteip"] !~ "10.5.5.25|10.5.5.123" {
url.access-deny = ( "" )
}
root@:/var/home/user #

However, this doesn't permit just 10.5.5.123 and 10.5.5.25, but also for
example 10.5.5.250 or 10.5.5.254.


WBR,
Martin
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp