Blocking IP addresses using the Business Space Ajax proxy

The Ajax proxy forwards requests from widgets to your product and target servers, if the servers are remote from the IBM® Business Process Manager server. The Ajax proxy is configured to be closed by default but provides a default policy that allows access to all endpoints. You can configure the Ajax proxy to restrict access to specific IP addresses.

About this task

Important: The Ajax proxy is configured to be closed by default but provides a default policy that allows access to all Business Space endpoints. Follow the steps in Adding proxy polices to the Business Space Ajax proxy to allow access for additional URLs, and follow the steps below to restrict access to specific IP addresses.

If you want to restrict access to specific IP addresses, you can edit the Ajax proxy to filter IP addresses to allow or deny access. You define blacklist or whitelist rules in the proxy-config.xml file.

Procedure

  1. Open the proxy-config.xml file. For information about where to find the Ajax proxy file, see Configuring the Business Space Ajax proxy.
  2. Add filter rules that allow or deny access.

    To define a blacklist rule for a particular IP address or set of addresses, use a proxy:deny element. To define a whitelist rule for a particular IP address or set of addresses, use a proxy:allow element. The filter rules are applied in order, with the last applicable filter rule taking precedence over previous filter rules.

    Add the <proxy:ipfilter> information under the proxy rules of the proxy-config.xml file (after proxy policies and before </proxy-rules>).

    <proxy:ipfilter>
<proxy:deny>9.6.0.0/255.255.0.0</proxy:deny>
<proxy:allow>9.6.1.0/255.255.255.0</proxy:allow>
<proxy:deny>9.6.1.4</proxy:deny>
</proxy:ipfilter>
    In this example, the IP filter performs the following filters:
    • blocks all 9.6.*.* IP addresses
    • allows 9.6.1.* but blocks the specific IP address 9.6.1.4

    So, in this case, the proxy would not allow access to IP address 9.6.2.5 or 9.6.120.7 and would respond with the following message: BMWPX0018E: The specified target hosts IP-address is prohibited by rule.

    The proxy would allow access to 9.6.1.5 or 9.6.1.120 but would deny access to 9.6.1.4.

    As you add new filter rules, you can combine them in several ways, but the proxy always handles them in order. The last matching rule will always take effect, regardless of any allow and deny rules that come before it.

  3. Complete the Ajax proxy configuration to suit your environment. For information, see Configuring the Business Space Ajax proxy.
Parent topic: Configuring the Business Space Ajax proxy