How to manage IP security in the Developer Portal
The Developer Portal offers the ability to perform various IP address security measures, such as adding and removing specific IP addresses from the banned IP address list, automatically banning client IP addresses by using the Drupal Perimeter Defence module, or managing login security by using flood control.
Enable and disable IP security
The ability to enable or disable IP security related actions can be controlled at the Portal
service level by using the Developer Portal CLI
command ip-security-enabled
. When IP security is enabled, modules such as the
Drupal Perimeter Defence module, or flood control, will block client IP addresses suspected of
malicious behavior, as expected. When IP security is disabled, all IP related security is switched
off. For example, the perimeter module won't block client IP addresses when IP security is disabled.
You might want to turn off IP security if you are performing penetration tests, or if you cannot
pass through the client IP address from your external load balancer. For more information, see Using the ip-security-enabled command.
Correctly passing through client IP addresses
In order to correctly use modules that make use of client IP banning, such as the Drupal
Perimeter Defence module, you must ensure that any external load balancer that fronts the Portal
cluster passes through the client IP address. This can be achieved by passing the client IP address
through in an 'x-forwarded-for'
header, or by making use of the proxy protocol
(provided both the load balancer and the ingress controller are compatible with the proxy protocol,
and have the protocol enabled). Failure to correctly pass through the client IP address, results in
the load balancer IP address being blocked when a client attempts to send a suspicious request to
the portal.
send-proxy
directive to the
end of the Portal server declarations in the HAProxy configuration file, for
example:server portal0 portal_host:port check send-proxy
You must restart the HAProxy for the change to take effect. Note that if your load balancer IP
address has already been blocked, you will need to remove the blocked IP address from the banned
list by using the security
command in theDeveloper Portal CLI,
see Using the security command.
'x-forwarded-for'
headers.
For instance, the default behavior of the nginx-ingress-controller
is to ignore the
inbound 'x-forwarded-for'
header and construct a new one. To configure the
nginx-ingress-controller
to pass through the inbound
'x-forwarded-for'
header you need to add the following to the
nginx-ingress-controller
config map:data:
compute-full-forwarded-for: "true"
use-forwarded-headers: "true"
For more information about the Drupal Perimeter Defence module, see Drupal Perimeter Defense module.
Managing banned IP addresses
You can manage banned IP addresses for a particular site by using the administrator dashboard for a particular Developer Portal site. For more information, see Managing banned IP addresses.