Closed euanmillar closed 1 year ago
Hi @euanmillar sorry it looks like this is possible currently. It only allows exact IP addresses. Maybe this is something you could solve through the reverse proxy. Are you still using traefik in from of the OpenHIM? Else a firewall like ufw on the host machines would also work. It might help to restrict the channel regex as well, so it isn't catch all. Rather making it accept a more specific pattern.
Hi @rcrichton thanks for getting back to me. :)
To answer your question, I am still using Traefik in front of the OpenHIM and it exposes "openhim-api" and "openhim". I will do some research to see how I could configure Traefik to only listen to "openhim-api" internally, however that would restrict interoperability to legitimate external clients I guess.
Perhaps ufw may be the way to go.
I used this Traefik middleware to whitelist the endpoint in case you are interested: https://doc.traefik.io/traefik/middlewares/http/ipwhitelist/
Hi Jembi,
Thanks again for all of your kind support with OpenHIM. I have a question regarding whitelisting.
I currently have a number of public OpenHIM channels and they are getting spammed in production by external applications because the openhim-api is publicly accessible and we have a passthrough channel setup using a catch-all regexp in the route.
I realised I needed to whitelist these channels, but I only have the option for IP or an OpenHIM client:
I am running OpenHIM inside a Docker Swarm, where each Docker service that requires access to OpenHIM is running on an internal ip beginning with 10...*
Can you tell me, is it possible to configure the whitelisted IP input for an OpenHIM Channel to use a Netmask (subnet mask) to cover all possibilities of IPs beginning with 10?
If not, how should I secure the OpenHIM Channel only to other services in the Docker Swarm?
Many thanks,
Euan