|
Page Edited :
qpid :
IP Whitelisting
IP Whitelisting has been edited by Aidan Skinner (Feb 02, 2009). Content:While using a properly configured firewall is the obvious way to restrict access to a broker, it's occasionally desireable to do this on the broker itself. ConfigurationEverybody loves XML. Elements inside <whitelist> would be <rule> or <include file="path" <external-whitelist> would contain further <rule> entries, but not <include>. If the host attribute was specified the broker would check it's hostname against the attribute and cause a fatal error on startup if it did not match. <rule> would have action, virtualhost, hostname and network attributes. Action and one of host or network would be mandatory. Virtualhost would be optional, if specified the rule would apply only to that virtualhost. The action attribute would be either allow or deny. Host contains a comma seperated list of regexps against which it would match the reverse dns lookup of the connecting IP. Network contains a comma seperated list of of CIDR networks against which the IP would be matched. The first <rule> which matched the connection would apply. If no rules applied, the default-action would apply. For example, the following could appear in config.xml: <whitelist default-action="" class="code-quote">"deny"> <rule action="" class="code-quote">"allow" hostname="*.qpid.apache.org" virtualhost="dev"/> <include file="/path/to/file" /> <rule action="" class="code-quote">"allow" network="192.168.1.0/24" /> <rule action="" class="code-quote">"allow" network="10.0.0.0/8" /> </whitelist> and /path/to/file could contain: <external-whitelist host="broker1.qpid.apache.org"> <rule action="" class="code-quote">"deny" newtork="192.168.1.0/24" virtualhost="prod"/> </external-whitelist> any machine in the qpid.apache.org domain could access dev. |
Unsubscribe or edit your notifications preferences
