Topic: restrict access to mediawiky by IP

[larieu]

I remember that I sow somewhere in forum that this is possible
I searched for around 20 minutes here and I don't fnd it


what I want
SME server with mediawiki

mediawiky is intended for "internal use only"
but now I have to give access to several branches
the server will be accesed by WAN (public) interface from that branches
I intend to make a "list" of IP and grant access to /myserver.org/wiki only from that IP's

please give me one hint tofind that post again
thanks

[magwm]

I do this by restricting access on the router, not on sme.

[janet]

larieu

Maybe this will help
http://wiki.contribs.org/SME_Server:Documentation:FAQ#Firewall

[larieu]

mary

it seems exactly what I need
I'll check it

magwm

it's what I've used but I'll check also mary's one

or may be both (I think double security it will not harm)

many thanks

[larieu]

I have tried this
unfortunately from WAN side I have the same ERROR 403 = Forbidden

Main page is OK ( it's set to public )
but https://myservername/wiki give me forbidden

I have tried in following modes each time issuing
signal-event remoteaccess-update
and even
signal-event post-upgrade / reboot

1.

Code: [Select]

config show mediawiki
mediawiki=service
    AllowHosts=IP1,IP2,...,IPn
    DbName=mediawiki
    DbUser=mediawikiuser
    HTTPS=on
    Name=MediaWiki
    PublicAccess=local

in this way I receive error 403
and only local network can access it

2.

Code: [Select]

config show mediawiki
mediawiki=service
    AllowHosts=IP1,IP2,...,IPn
    DbName=mediawiki
    DbUser=mediawikiuser
    HTTPS=on
    Name=MediaWiki
    PublicAccess=private

in this way all IP's can access it  (tested from one IP not in the AllowHosts list)



3.

Code: [Select]

config show mediawiki
mediawiki=service
    DenyHosts=IT_test1,IP_test2
    DbName=mediawiki
    DbUser=mediawikiuser
    HTTPS=on
    Name=MediaWiki
    PublicAccess=public

in this way I was able to access it from both test IP's



4.

Code: [Select]

config show mediawiki
mediawiki=service
    AllowHosts=IP1,IP2,...,IPn
    DenyHosts=0.0.0.0/0
    DbName=mediawiki
    DbUser=mediawikiuser
    HTTPS=on
    Name=MediaWiki
    PublicAccess=public

with IP_test1 and IP_test2 not in AllowHostst list
in this mode tests hosts was able to access it



5.

Code: [Select]

config show mediawiki
mediawiki=service
    DbName=mediawiki
    DbUser=mediawikiuser
    HTTPS=on
    HostsAllow=IP1,IP2,...,IPn
    Name=MediaWiki
    PublicAccess=local

the same old error 403 = forbidden

I also tried several of this combinations with IP/32

any Idea where I'm wrong?

[janet]

larieu

Remove this from 4
DenyHosts=0.0.0.0/0

to read

Code: [Select]

config show mediawiki
mediawiki=service
    AllowHosts=externalIP1,externalIP2
    DbName=mediawiki
    DbUser=mediawikiuser
    HTTPS=on
    Name=MediaWiki
    PublicAccess=public


Is your SME server in server gateway mode ?

[larieu]

Yes is in gateway mode SME8b5 with WAN side to ISP and LAN side to local computers

in this config everybody from internet will have access to wiki page!!!  - which is not my intention
if I put public on "PublicAccess" the AllowHosts is an nonsense - may be the denyhosts if it will work and I'll set something lige 0.0.0.0-fistrIP-1,fisrtIP+1-secongIP-1,....

if I set to public without allowHosts I can access from ANY IP

if I put Public and I set DenyHosts it seems that it doesn't take into consideration the DenyHostst

[janet]

larieu

I do not use mediawiki, but does it have a setting where you enable access by user login only.
That way it can be web enabled but content is only accessible by valid users.
Maybe this
http://www.mediawiki.org/wiki/Manual:User_rights_management

or this
http://forums.contribs.org/index.php/topic,42021.msg197043.html#msg197043

or
the remote users could establish a VPN connection to the SME server and then they access the site as local users.


Otherwise:
I tried and it seems you cannot block access to web apps using those commands.

Is your web server on that SME server providing publicly accessible web pages ?
If not, then you can block httpd-e-smith access and only allow access from those remote hosts IPs

config setprop httpd-e-smith AllowHosts IP1,IP2,IP3
signal-event remoteaccess-update

[larieu]

Yes I have /webmail and another one Ibay

this is not the option

I found one "bug" way (some backdoor)  by manually add that IP's in local networks directly from db command

something like

db network set IP network Mask 255.255.255.255 Router FunnyGW
signal-event remoteaccess-update

where FunnyGW is one ip from one class 192.168.x.0  which I found that is not produce any problem from the ISP side and is not in my interest range ( I don't use it and one mtr to that class on ISP side is produce "one dead end")

I found this way because this server was during initial phases was used as "Server Only" and I set from admin web interface some "local" classes with the gateway
after that testing phase I have changed the server settings from "console"
and in local addresses it remained that IP's

to be more explicit

initially I had made all the tests for this router into  the local IP class 192.168.33.0/24 - server only config with default GW 192.168.33.254 and the only IP of the server as 192.168.33.253
my router in that time had IP 192.168.32.254 (/24) and one alias on the same interface 192.168.33.254/24

and to get full access from 192.168.32.x IP  I was forced to add it into "local"

after using that "console" feature to set it as "server and GW" that "local" remained
now server has something like 192.168.66.254/24 on LAN
and in local I can see 192.168.32.x gw 192.168.33.254

this "workaround" is not "stright" but it give me that result which I need
and I don't think will cause any trouble until my ISP will not use that IP class into his network

[mmccarn]

Larieu -

Like Mary, I don't use the mediawiki contrib extensively.

However, there are a couple basic SME issues you should consider:

Local Networks
Adding your remote systems as local networks allows wide access to your SME server from those systems, potentially including access that will expose usernames and passwords to intermediate networks (eg FTP, authenticated SMTP without SSL encryption).

Be sure to consider all such services carefully for potential security issues if you choose to leave the remote systems defined as local networks.

restricted access to https
Defining "mediawiki" as a service, then restricting remote IP addresses, doesn't give the SME server enough data to correctly customize the firewall.

iptables restricts traffic based on source ip, destination ip, source port, destination port and protocol. SME creates the iptables startup script (/etc/rc.d/init.d/masq) by creating rules for each service that includes a TCPPort or UDPPort setting.  The results are undefined if you create two services with the same TCPPort settings.

Since https access to /webmail, mediawiki, and any other ibays all use port 443 by default, you cannot have differing firewall rules for these different URLs.

If you want to restrict all remote access to all https services, you need to set AllowHosts for the existing service with TCPPort=443 - the "modSSL" service:

Code: [Select]

config setrop modSSL AllowHosts a.b.c.d,w.x.y.z
signal-event remoteaccess-update
If you only want to restrict access to mediawiki but not to all other https services, one of the following solutions might work:
* Move mediawiki to a new virtual host that uses a different port number (4443, for example) by customizing /etc/httpd/conf/httpd.conf (sadly, I don't know what would be required for this), add that port to the service definition for mediawiki using config setprop mediawiki TCPPort 4443, then restrict access to that new port using config setprop mediawiki AllowHosts a.b.c.d,w.x.y.z
* Locate and install a mediawiki module that can be used to restrict access by IP address

[larieu]

Thanks for your considerations

Local networks
Yes I understand that and I know that implications - fortunately all remote sites are in my hand and all off them pass to me only by my ISP provider where I have an contract to be "protected" .... you know that kind for business
for moment it's "quite" good

Restrict access to https
is not an option (at least for this moment)

workarounds
first
- I'll will take into consideration and look for implications (and what work will imply this)
second
- that was the main purpose of this thread; but until now no any good direction here
- I remember that several month ago (may be one year) I have read on the net about one extension to limit access by IP directly into wiki; but unfortunately I'm not able to catch that link again ;(

[mmccarn]

Well, I feel a bit stupid.  It is definitely possible to restrict access to a web address by remote IP - but it's done in the apache httpd.conf file, not in the firewall configuration.

You just need to customize the "Allow from..." directive in the httpd.conf declaration for mediawiki.  The masq/iptables/firewall link provided earlier was a bit confusing, since nothing you do with those commands will affect anything since the mediawiki service doesn't have a defined TCPPort.

Also, from looking at the mediawiki template fragment, the only option supported is to use "allow from $localAccess" if the db variable "PublicAccess" is set to "local" or if it does not exist.  None of the other db variables mentioned in the firewall section have any effect on the output - they don't affect httpd.conf because they are not referenced in 95mediawiki, and they don't affect the firewall because there's no port number set.

Once I realized this, it becomes much simpler to do what you are trying to do.

First, create a custom template fragment that overrides the fragment installed by the mediawiki contrib:

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
cp /etc/e-smith/templates/etc/httpd/conf/httpd.conf/95mediawiki /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/95mediawiki
Then, customize the "Allow from" output from line 26 of your new custom template fragment.

Current contents:
    $OUT .= "  allow from $localAccess";

Recommended contents:
    $OUT .= " allow from 127.0.0.1 192.168.33.0/255.255.255.0 192.168.32.0/255.255.255.0";
or
    $OUT .= "  allow from $localAccess 192.168.32.0/255.255.255.0";

Notes:

• allow from ... is set to all unless PublicAccess is set to local
• $localAccess is set in /etc/e-smith/templates/etc/httpd/conf/httpd.conf/01localAccessString to include all defined local networks.  My first recommendation above ignores your local networks definitions, while the second recommendation would be redundant unless you remove the remote systems from your local network definitions.
• Use the correct local network and remote host values for your situation
  
• Separate each entry with a space
• Find the current settings for your system using
  
  • grep "allow from" /etc/httpd/conf/httpd.conf
  or
  
  • less -p mediawiki -S /etc/httpd/conf/httpd.conf
• a typo in these modifications may prevent the "httpd-e-smith" service from starting successfully.  Symptoms would be that server-manager would still work, but all other web addresses would not.  Errors would show up in either /var/log/httpd/error_log or /var/log/messages
• Un-do these mods if they don't work as expected using

Code: [Select]

rm -f /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/95mediawiki
signal-event remoteaccess-update

[larieu]

mmccarn
Thanks for this "tutorial"
I'll try to see what happens in my next spare time

it seems that is exact what I need
I'll post the result here
 

[larieu]

in the last weekend I had a little bit time to test what mmccarn told
it work as charm

now I wander if it is not possible to make an "system variable" as $speciallistwiki and edit it separately
and here to have only

 $OUT .= "  allow from $localAccess $specialListWiki";

this will be in my mind easy to extend to any other ebay....
any suggestion will help

thanks