Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure header authentication with IP whitelist #787

Closed
piotrp opened this issue Aug 12, 2021 · 4 comments
Closed

Secure header authentication with IP whitelist #787

piotrp opened this issue Aug 12, 2021 · 4 comments

Comments

@piotrp
Copy link
Contributor

piotrp commented Aug 12, 2021

Hader authentication was added in #724.

To make it secure in internal networks that aren't fully locked down it should work only when directly connecting client is coming from a whitelisted IP address.
@tchiotludo
Copy link
Owner

Just a thinking, maybe late ;)
You can achieve this with that : https://micronaut-projects.github.io/micronaut-security/latest/guide/#ipPattern
In case you are behind a reverse proxy, you never want that the instance is available for other ip that the loadbalancer

@piotrp
Copy link
Contributor Author

piotrp commented Aug 12, 2021

Then this will boil down to properly documenting that this option is available. I will try to integrate this into my environment and see how it works.

@tchiotludo
Copy link
Owner

@piotrp thanks for trying ;)

@piotrp
Copy link
Contributor Author

piotrp commented Aug 15, 2021

I will add custom ip-pattern property anyway, with implementation based on Micronaut's - thanks for the link. The use case I want to cover is a setup with two access routes to AKHQ:

  1. Official via proxy, with header authentication (currently it uses LDAP). But in this case header authentication should be trusted only when coming from proxy's IP pool.
  2. Direct access with a few predefined accounts (basic auth), used for emergencies when corporate SSO can't be accessed by users.

piotrp added a commit to piotrp/akhq that referenced this issue Aug 16, 2021
@piotrp
feat(auth): allow limiting header authentication to list of configure…
022e614 
…d IP addresses (tchiotludo#787)
tchiotludo pushed a commit that referenced this issue Aug 16, 2021
@piotrp
feat(auth): allow limiting header authentication to list of configure…
b43f52d 
…d IP addresses (#787) (#793)
@piotrp piotrp closed this as completed Aug 17, 2021
tchiotludo pushed a commit that referenced this issue Oct 24, 2021
@piotrp @tchiotludo
feat(auth): allow limiting header authentication to list of configure…
b579ac5 
…d IP addresses (#787) (#793)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@piotrp @tchiotludo