Securing the User Interface
Purpose: To provide an additional security layer to the existing password protection – especially crucial to production environments.
Note:
This solution does not replace the appropriate firewall precautions you should take to deny access to the User Interface from certain IP addresses.
By default, access to the User Interface is password protected. If you want to secure access to the User Interface, you can do so by setting an IP address-based access control list on the Web server running the User Interface.
After following this procedure, users that try to access the User Interface from not-allowed (unauthorized) IP addresses are not able to access the User Interface.
Linux
The administration Interface runs on a dedicated lighttpd Web server. To secure access to the User Interface, edit your lighttpd configuration file in one of the following ways:
-
To only allow access from localhost, replace your lighttpd.conf with the pre-configured file called lighttpd.conf-localonly that is in the same directory.
-
To limit access to specific IP addresses, open your lighttpd.conf and add the IP addresses as follows:
$HTTP["remoteip"] !~ "10.1.2.163|10.1.6.46|127.0.0.1" { $HTTP["url"] =~ "^/ZendServer/" { url.access-deny = ( "" ) } }
This example shows how to allow access from 10.1.2.163, 10.1.6.46 and localhost and deny the rest.
You can also do:
$HTTP["remoteip"] !~ "10.1.2.163|10.1.6.*|127.0.0.1" { $HTTP["url"] =~ "^/ZendServer/" { url.access-deny = ( "" ) } }
This means that you allow access from 10.1.2.163, 10.1.6.46, 127.0.0.1 (localhost) and hosts from 10.1.6.0 and deny the rest.
-
After applying the changes to your configurations, restart the lighttpd server with the command:
# <install_path>/bin/lighttpd.sh restart
or alternatively:
# <install_path>/bin/zendctl.sh restart-lighttpd
Tip:
For additional resources and information on Lighttpd, see https://calomel.org/lighttpd.html .
Windows
There are a few precautions you can take in order to secure your connection:
-
Be secured using SSL connection - a certificate is needed by 3rd party vendors to enable encryption between client and server.
All IIS versions (5,6,7) use this surf-safe mode. -
Use https connection which enables encryption.
-
Configure your Username and Password using 7-12 alpha-numeric numerals. Set your Password immediately after first-time installation.
-
Protect your connection using Anti-Virus.
-
Windows users should update their Microsoft Installation packs with the provided updates to avoid back-doors and loop-holes.
To limit IP access:
-
Enter your Web server's configuration and define the IP addresses that should be enabled.
Apache users should refer to the Apache documentation - http://httpd.apache.org/docs/2.2/howto/access.html - Access control by host
For more information about IIS security-related topics, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/IIS.mspx
IBMi
To limit IP access:
-
Refer to the Apache documentation http://httpd.apache.org/docs/2.2/howto/access.html