Monday, June 19, 2017

Restricting Access at in Varnish Server Wide to Admin Areas

There are lots of ways to implement access controls and additional security on your hosting. I recently implemented a very restrictive but easy to manage implementation for our FreeBSD server that runs everything through Varnish. I could have placed this restriction in Apache via .HTACCESS files or global rules but placing them in Varnish they execute earlier and have less server overhead and ensure there are no caching related flaws.



To set this up I added the following to the top of my /usr/local/etc/varnish.vcl file.
# Whitelist of IP Address's or Ranges that are allowd to access restricted administration pages.
acl admin {
    "127.0.0.1";
    "localhost";
    "10.1.0.0"/16; # Local Network Class B
    "192.168.1.0"/16; # Local Network Class C
    "1.1.1.1"; # Sample
    # INSERT IPS #
}

Next inside the vcl_recv sub, or add one if needed include this before other rules. The bold text is doing URL matching to determine what scripts or directories to require approval for.  This could also be applied to specific domains but in this case it is server wide.
# Optional feature to only allow access to matched pages if client is on a whitelist.
    if (req.url ~ "^/wp-(login|admin|cron|json)" && client.ip !~ admin) {
        # Whitelist for all admin pages
        return (synth(403, "IP address not authorized, please request access from AdminEmail" ));
    }

Now you can reload varnish and do some testing by adding and removing your local network or IP and ensure its working. You can stop here but this isn't very convenient to manage or update form offsite.
sudo service varnishd reload

Add a custom script to grant access to IP's.

We have a custom script hidden our our server that it not indexed or published anywhere that our administrator can use to add new addressed on the fly. It asks for a name, location, and IP Address and will update the varnish.vcl file and reload the configuration when submitted.

<html>
<head>
<title>Company Name - System Access</title>
<meta name="robots" content="noindex, nofollow">
<style>
body {
max-width: 600px;
margin: 2em auto;
}
label {
width: 70%;
display: inline-block;
padding-right: 1em;
box-sizing: border-box;
}
input[type="text"], input[type=checkbox], button {
width: 28%;
vertical-align: top;
}
small {
display: block;
}
form {
margin: 2em 1em;
}
</style>
</head>
<body>
<?php
if (isset($_POST['submit'])) {
if(!isset($_POST['name']) || !isset($_POST['ipaddress'])) die("An internal error occured.");
$name = trim($_POST['name']);
$ipaddress = trim($_POST['ipaddress']);
$permanent = $_POST['permanent'] == '1';
$end = date('Y-m-d', strtotime(date('Y-m-d') . '+ 3 days'));
if($name == '') die("A name is required.");
if($ipaddress == '') die("An IP Address is required.");
if(preg_match('/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/', $ipaddress) == 0) die("The IP Address was not valid.");
$code = " \"$ipaddress\"; # $name";
if(!$permanent)
$code .= " through $end";
exec("sed -r $'s/( # INSERT IPS #)/$code\\\\\\n\\\\1/' /usr/local/etc/varnish.vcl > varnish.vcl");
exec("cat varnish.vcl > /usr/local/etc/varnish.vcl");
exec("rm varnish.vcl");
echo "<h4>Record Added</h4><pre>$code</pre>";
exec("/usr/local/bin/sudo /usr/local/bin/varnish-reload");
}
?>
<h1>Request access to Company Name systems below.</h1>
<p>Plelase do not share this URL with untrusted parties. This form is only needed for web access to manage websites hosted by Company Name.</p>
<p>Please fill out this form to request acess from your device or network to the Company Name website adminitration areas. You will still need accounts for the applicable websites to manage them.</p>
<form method="POST">
<p>
<label>Your Name and/or the Location Name: <small>Please enter a clear name, office, location, or other identifier here such as <em>Jon Doe Home</em> or <em>Company Name - South Bend Office</em>.</small></label>
<input type="text" name="name" required />
</p>
<p>
<label>IP Address: <small>Enter your public IP Address here. To find this go <a href="https://www.google.com/search?q=whatmyip" target="_blank">here</a>, copy the <em>public IP address</em>, and paste it in the box.</small></label>
<input type="text" name="ipaddress" pattern="^([0-9]{1,3}\.){3}[0-9]{1,3}$" required />
</p>
<p>
<label>Permanent Access: <small>Select this option to permanently allow this location. If you are in a hotel or other public location leave this off and this address will only be allowed for a few days.</small></label>
<input type="checkbox" name="permanent" value="1" />
</p>
<p>
<label>&nbsp;</label>
<button type="submit" name="submit">Submit</button>
</p>
</form>
</body>
</html>
view raw secret-filename.php hosted with ❤ by GitHub
You can post this script to a secret location on the web server.  You may want to add a password to it for extra security and don't link to it anywhere. You will also need to run the following commands.

// Make writable by www user.
sudo chmod g+w /usr/local/etc/varnish.vcl
sudo chgrp www /usr/local/etc/varnish.vcl
// Add custom script to reload varnish.
echo "#!/usr/local/bin/bash
service varnishd reload" > ~/varnish-reload
// Move script and make it executable
sudo cp ~/varnish-reload /usr/local/bin/varnish-reload
rm ~/varnish-reload
sudo chmod +x /usr/local/bin/varnish-reload
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Project Licenses


Creative Commons License
These works by Jeremy Pyne are licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License