How to Block API Web Interface Page Access

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

(warning) Take note that the configuration changes is not officially supported by Atlassian. Please perform a backup of your instance first before you proceed with the solution.

目的

In some circumstances, the admin is required to block any form API key generation from specific IP addresses for security purposes. The 

(warning) This will not stop users from creating API token via the method itself - Generate token

ソリューション

  • Obtain the root access of the instance:

    sudo dont-blame-hipchat
  • Edit the /etc/nginx/sites-enabled/000-web file using your preferred text editor. In this example, nano:

    nano /etc/nginx/sites-enabled/000-web
  • Define whitelisted IP ranges at the top of the file. Refer to the IP range we are using for example:

    # 0 is allowed, 1 is denied
    geo $blacklisted_ips
    {
      11.111.11.11/24  0;
      default         1;
    }
  • In the server section that is listening on port 443, add conditions to deny access to not serve the API pages to blacklisted IPs:

      if ($blacklisted_ips)
      {
        set $notallowed IP;
      }
    
    
      if ($request_uri ~ (/account/api|/admin/api))
      {
        set $notallowed "${notallowed}LOC";
      }
      
      if ($notallowed = IPLOC)
      {
        return 403;
      }
  • Reload nginx service for the changes to take effect:

    service nginx reload
  • Once you validate the behavior, make the changes to /hipchat-scm/chef-repo/cookbooks/hipchat_web/templates/default/web-site-btf.erb so they persist after reboots and Chef runs with reference to How to change files maintained by Chef in HipChat Server



最終更新日 2018 年 11 月 2 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.