-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to Disable IP Whitelisting #24
Comments
I think it's definitely an option that we are open to providing that the setting is enabled by default and perhaps displays a short warning if disabled. |
@bdukes , a workaround could be to connect to your servers using VSTS, and then running the commands on the webservers themselves. |
Would we want that to be a setting on the API user, rather than on the module itself? @Sniels that's a good idea, I should be able to use that workaround in the meantime |
For me personally, I'm mostly interested in the API for automation. |
@bdukes I think it would be great to have the flexibility to disable the IP Whitelist globally as well as being able to exclude particular API Users from it. @Sniels Currently PolyDeploy is designed to only be accessible to host users, regardless of the permissions which are applied to the module on the page. This is intentional as it helps to ensure that PolyDeploy is secure by default. |
A module that can install extensions must only be accessible to host users. However, I don't know that the IP whitelist to access the GUI interface is enough of a security benefit that it's worth the hassle. If a hacker can authenticate as a host user, it's trivial for them to add themselves to the IP whitelist, or just install via the standard interface. In my opinion, the IP whitelist is only useful for API access. |
FYI, I'm 99% of the way through implementing a Bypass IP Whitelist option for API users, just need to finish testing (hopefully today) |
@bdukes I agree, once an attacker has access to a host account within DNN it's game over as far as what PolyDeploy would allow them to do versus what they can do through DNN's UI. I'll raise the discussion to see if we can just apply IP Whitelisting for API users. |
@can-anierzad & @StevenFisherCantarus Any additional thoughts on removing the whitelist. I'm attempting to use Version 0.7.0 and cannot even get the module to function. I've added the IP, but I'm guessing it is something about Azure and how it works that might be causing issues. as I'm not able to use. |
@mitchelsellers it's possible what you're experiencing is a bug where the action filter for whitelisting fails to determine the request originated on the local machine. Aside from that, you can check PolyDeploy's own EventLog table and it'll tell you what IP address is failing the whitelist check. That should allow you to get it up and running. I think that being able to enable/disable the whitelist globally is a worthwhile addition, but the issue mentioned above needs to be fixed as well. |
@can-anierzad It appears that it is due to the IP appearing to have a port on it....but that port changes |
I created #36 to properly document my concern |
@bdukes am I right in thinking that you raised an MR that resolves this issue? Just wondering if I can close. |
#31 resolves the issue for API users, but I haven't submitted a PR to turn off IP whitelisting for the module UI. |
I would like to create a task for VSTS to use their CI/CD pipeline to deploy to different environments. However, because tasks are run from a pool of build agents in the cloud, I don't have a reliable IP address to whitelist (it is possible to get a list of public IP addresses used by VSTS, but it's a pretty long list and can change on a weekly basis).
So, for this scenario, it would be nice to be able to disable the IP whitelist for the deploy client. Is this an option y'all are open to?
The text was updated successfully, but these errors were encountered: