cancel
Showing results for 
Search instead for 
Did you mean: 

Blocking Portal access from certain IP addresses

Former Member
0 Kudos

Hi,

We are using portal cluster with external load balancer. We want all the users to access portal only through load balancer and we want to block any direct access to the portal. Is there any configuration in the portal through which, we can block the access from certain IP addresses so that we can allow access only for the load balancer IP address.

We are using EP 7.0 SP10.

Helpful answers will be rewarded.

Regards,

Chandra

Accepted Solutions (1)

Accepted Solutions (1)

eddy_declercq
Active Contributor
0 Kudos

Hi,

Isn't it easier to solve this problem DNS wise? Have only one valid DNS : the one from the load balancer.

Eddy

-


Pimp up the S(D)N site and earn points. Check this <a href="/people/eddy.declercq/blog/2007/02/01/pimp-up-the-jam log</a> for details

Former Member
0 Kudos

Thanks Eddy for your answer.

Actually we want to block the direct access to portal in any case.

If we just block the access using DNS approach, in case user knows the portal host IP address, he can access it by putting an entry in his hosts file. Thats why we are looking for some configuration at the portal level to block the request from all the IPs except load balancer IP.

Regards,

Chandra

achim_hauck2
Active Contributor
0 Kudos

chandrashekhar,

that is normally done by a firewall placed before the portal with only allowing connections from the load balancer. the portal (Web Application Server) can't block any IP addresses.

kr, achim

eddy_declercq
Active Contributor
0 Kudos

Hi,

Check what SAP has to say on FWs:

http://help.sap.com/saphelp_nw2004s/helpdata/en/0a/0a2e1bef6211d3a6510000e83

5363f/frameset.htm

Eddy

-


Pimp up the S(D)N site and earn points. Check this web log for details

Former Member
0 Kudos

Thanks all for your answers...

Actually we don't have a firewall between our intranet (user desktop) and datacenter (server location) and so looking for other kind of solution.

Regards,

Chandra

Former Member
0 Kudos

Hi,

You can also look into an option to create a custom login module that will work as an IP filter.

See the following PDF for more info:

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/17be8b32-0a01-0010-51bc-8fe...

Never tried that myself though

Regards,

Mike

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi Chan,

You can always try this bypass:

Modify the default startpage for the portal (index.html) and include the following javascript piece of code:

<script type="text/javascript">

// Block IP address script- By JavaScriptKit.com (http://www.javascriptkit.com)

// For this and over 400+ free scripts, visit JavaScript Kit- http://www.javascriptkit.com/

// This notice must stay intact for use.

//Enter list of banned ips, each separated with a comma:

var bannedips=["23.23.23.23", "11.11.11.11"]

var ip = '<!#echo var="REMOTE_ADDR">'

var handleips=bannedips.join("|")

handleips=new RegExp(handleips, "i")

if (ip.search(handleips)!=-1){

alert("Your IP has been banned from this site. Redirecting...")

window.location.replace("http://www.google.com")

}

</script>

As soon as a non allowed ipaddress hits your portal you can redirect them to your loadbalancer.

Modify the list of ipaddresses to your needs.

Don't forget to reward good answers

Best regards,

Tom Cockaert.

PS One warning though, I don't think this modification will survive an SP update. So document it before you perform an SP update to your portal or you will have to start all over again.

Message was edited by:

Tom Cockaert

Former Member
0 Kudos

Hi Tom,

Many thanks for this. I could find index.html under location /usr/sap/<SAP_SID>/JC<Instance_Number>/j2ee/cluster/server0/apps/sap.com/irj/servlet_jsp/irj/root. I tried making the change in this file but looks like portal is not using this index.html. I am accessing portal as http://<host_name>:<port>/irj.

Also I have couple of doubts as below.

1. index.html code is like

<html>

<head>

<title>Loading Portal...</title>

</head>

<body onload="location.replace('portal' + document.location.search)">

</script>

</body>

</html>

May I know where to put the script suggested by you? If I put in body, it will never be executed as onload script will be executed first.

2. Will this redirection work before user login or after user login. We want it to work before user login itself.

Thanks,

Chandra

Former Member
0 Kudos

Hi Chan,

First of all you need to locate the correct index.html which I'm not able to locate myself for now. I found it before but you know the physical portal folder constrution on the server is rather complex to retrieve this in just a few seconds

1. The part of the body onload is most likely correct. To resolve this you can rename the original index.html file to for example index2.html and create a new index.html with the script in it. Then with a little modification to the javascript redirect to the new url or bounce the user:

(if the user origins from an not wanted ip address he/she is redirected, else redirect the user to the portel (then use the index2.html file))

<script type="text/javascript">

//Enter list of banned ips, each separated with a comma:

var bannedips=["23.23.23.23", "11.11.11.11"]

var ip = '<!#echo var="REMOTE_ADDR">'

var handleips=bannedips.join("|")

handleips=new RegExp(handleips, "i")

if (ip.search(handleips)!=-1){

alert("Your IP has been banned from this site. Redirecting...")

window.location.replace("http://www.google.com")

}

else

{

window.location.replace("INSERT_PORTAL_URL_HERE")

}

</script>

2. Yes this will work before the user logs in.

Be aware that this is probably not supported by SAP and as I said before with each update / installation SPS it's possible that you lose this modification.

I hope this helps you out.

Br,

Tom.

Former Member
0 Kudos

Hi Chan,

Any luck with your modification?

Thank you for your feedback.

Br,

Tom.