Securing Services via IP Filters
You can configure what incoming IP addresses are allowed to access the services by specifying IP filters in the services configuration. The default setting allows access to all services by all IP addresses: trusted.ipPattern: .*
You can create configurations for individual services and configurations for all services for which no separate configurations have been created.
You can also configure which incoming IP addresses are allowed to access the active management endpoints. The default setting permits access by all IP addresses: management.trusted.ipPattern: .*
You can also create configurations for individual services for management endpoints and configurations for all services for which no separate configurations have been created.
IP Filters for Services
You can configure IP filters for all services via the file ...\services\service-manager\config\application-prod.yml.
You can configure IP filters for individual services via the respective file ...\services\service-manager\config\<service>-prod.yml. These have priority over configurations in application-prod.yml. The configuration is done in the same way via the trusted.ipPattern parameter.
Proceed as follows to be able to configure a filter for accessing services.
- Open the file …\services\service-manager\config\application-prod.yml.
For individual services, open the respective file <service>-prod.yml. -
Assign the desired IP addresses to the parameter
trusted.ipPattern. - Save the configuration and restart enaio® service-manager.
It may be necessary for individual services to restart the configured service.
For a list of IP addresses, each address must always be placed in brackets. Addresses are separated by the pipe character '|'.
Dots in IP addresses should be preceded by the Escape character '\' because the expression in question is a regular expression. However, no escape character is required before colons in IPv6 addresses.
Examples
| Permitted access | Sample configuration |
|---|---|
| By all IP addresses | .* |
| By specified addresses | (10\.10\.10\.10)|(10\.10\.10\.11)| ... (10\.10\.10\.1x) |
| By address ranges | (10\.10.*)|(192\.168\.[0-9]{1,3}\.[0-9]{1,3})|(172\.[16-32]\.[0-9]{1,3}\.[0-9]{1,3}) |
If IP filters are configured for all services, then the following addresses must be allowed:
- 127.0.0.1 and 0:0:0:0:0:0:0:1 (local host representation in IPv4 and IPv6)
The microservices will be installed with the IP address '127.0.0.1'. This address must be specified so that they are linked together. If IP addresses have been changed in configuration files of micorservices, then these must also be allowed.
- Addresses of all microservice installations
- Addresses of all services
enaio® gateway, enaio® appconnector, and the viewing services
- Addresses of all enaio® server
- Address of Elasticsearch
- Address of ABBYY FineReader
Management Endpoints
Active Management Endpoints
Default management endpoints are activated for each service and access to these is permitted from all IP addresses.
For technical and security reasons, different management endpoints are activated for services. You can see which management endpoints are activated for each service via the environment configuration using enaio® service-manager.
IP Filter for Management Endpoints
You can configure access to the active management endpoints of all services via the file ...\services\service-manager\config\application-prod.yml.
You can configure access to the active management endpoints for individual services via the respective file ...\services\service-manager\config\<service>-prod.yml. These have priority over configurations in application-prod.yml.
Assign the desired IP addresses to the parameter management.trusted.ipPattern.
If management filters are configured, then the address of enaio® service-manager must be allowed.
Access to the management endpoints is only allowed if access to the services is also allowed.
on the right.
areas. Use the toolbar to show all hidden areas at once:
