Draper1
commented
4 years ago Hi @xucito !
In order to achieve this, we'd need to add a deny to the path for /web* to the Nginx config in the reverse proxy.
Here is a sample which can be added into the proxy config in /etc/nginx/sites-enabled/rbk-rproxy.domain.com.conf (Replacing the 1.2.3.4 for any IPs you may want to permit):
location ~ ^/(web) {
allow 1.2.3.4;
deny all;
proxy_pass https://proxy;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}This request will follow the existing location config so the section should look similar to this:
Once updated, restart the nginx service, and then accessing the root URL should provide a 403 error as forbidden, but access to the API endpoints should still be permitted. You can test by hitting https://<proxyip>/docs/v1/playground which should work without error.
xucito
What would you like to be added: Is there a recommended way to stop people from accessing the Rubrik Console via the Rubrik Proxy directly so they will only be able to access Rubrik functionality via vCloud?
Why is this needed: To restrict access to Rubrik Direct Console