Hi all,
I’‘d like to limit access to the wildfire admin console to SSL only, thus I deactivated port 9090 by setting it to “-1” in wildfire.xml. That worked well, in fact, a little too well. The presence plugin should be accessible via standard http, there’'s no need to have SSL enabled for it. How could I restrict the admin GUI to SSL, while having the standard http port open at the same time?
Any help is appreciated. Kind regards,
Hi Christian,
Wildfire has very limited (no) support for access control lists so you need to open both ports.
You could use firewall to block access to ports 9090 and 9091 and use a reverse proxy like Apache or Squid to terminate SSL and limit access to the admin console path or plugin path, but that’'s really an ugly solution.
LG
Thanks, although it’'s too bad that wildfire doesnt offer this feature (yet). A rather simple solution could be to set different network interfaces for the http- and the XMPP-daemons. That way I could restrict http to IP 127.0.0.1 and disable SSL altogether, and use apache as an reverse proxy, ensuring SSL for the locations that I define.
However, when I try it this way now, I’'d disable all communications, not only http, by restricting the server to 127.0.0.1, right? Regards,
Christian
Hi Christian,
on linux you may use iptables/prerouting to forward the request from eth0 to lo.
You could also use a connection manager and bind it to your public ip address and bind bildfire to your internal one or to localhost. This works fine for xmpp. For http/https you still need iptables/prerouting or a proxy.
Allowing to specify only one ip address for all ports within Wildfire was an “improvement” done nearly a year ago.
LG
Anyway, thanks for the answer. Regards,