Page tree
Skip to end of metadata
Go to start of metadata

IP Filtering

SolusVM already has the ability to filter ip addresses on a per API user basis, however the filtering is only activated on the initial connection to the API script. You can go one step further and filter the ip addresses at the web-server level.

An example is given below on how to activate this kind of filtering.

1.Edit /etc/lighttpd/lighttpd.conf and insert the following code:

$HTTP["remoteip"] !~ "10.0.0.5" {
$HTTP["url"] =~ "^/api/admin" {
url.access-deny = ( "" )
}
} 
Replace 10.0.0.5 with the ip address you want to access the API. You can add multiple ip addresses by using a | seperator.

2.Restart lighttpd:

service lighttpd restart

Htpasswd authentication

The connecting software/scripts must be capable of authenticating using the username & password. Our WHMCS module v 3.11 works fine with this system.

SolusVM already is secure within it's API, however you can protect the API with an additional authentication level using htpasswd.

For this enable mod_auth in lighttpd.

1.Edit /etc/lighttpd/lighttpd.conf on your master and check it's enabled. The modules stanza should look like this:

server.modules = (
    "mod_auth",
    "mod_access",
    "mod_fastcgi",
    "mod_accesslog"
  )  

2.Add the following section to your /etc/lighttpd/lighttpd.conf:

auth.backend = "htpasswd"
  auth.backend.htpasswd.userfile = "/usr/local/solusvm/.api-htpasswd"
  auth.require = ("/api/admin" => (
     "method"  => "basic",
     "realm"   => "",
     "require" => "valid-user"
  ))
  

3.End result should be like this:

server.modules              = (
                                "mod_auth",
                                "mod_access",
                                "mod_fastcgi",
                                "mod_accesslog" )
                                                                
server.document-root        = "/usr/local/solusvm/www/"
server.errorlog             = "/var/log/lighttpd/error.log"

index-file.names            = ( "index.php", "index.html",
                                "index.htm", "default.htm" )

mimetype.assign             = (
  ".pdf"          =>      "application/pdf",
  ".gz"           =>      "application/x-gzip",
  ".tar.gz"       =>      "application/x-tgz",
  ".tgz"          =>      "application/x-tgz",
  ".tar"          =>      "application/x-tar",
  ".zip"          =>      "application/zip",
  ".gif"          =>      "image/gif",
  ".jpg"          =>      "image/jpeg",
  ".jpeg"         =>      "image/jpeg",
  ".png"          =>      "image/png",
  ".css"          =>      "text/css",
  ".html"         =>      "text/html",
  ".htm"          =>      "text/html",
  ".js"           =>      "text/javascript",
  ".log"          =>      "text/plain",
  ".conf"         =>      "text/plain",
  ".text"         =>      "text/plain",
  ".txt"          =>      "text/plain",
  ".dtd"          =>      "text/xml",
  ".xml"          =>      "text/xml",
  ".bz2"          =>      "application/x-bzip",
  ".tbz"          =>      "application/x-bzip-compressed-tar",
  ".tar.bz2"      =>      "application/x-bzip-compressed-tar",
  ""              =>      "application/octet-stream",
 )

server.tag                 = "SolusVM" 
accesslog.filename          = "/var/log/lighttpd/access.log"

auth.backend = "htpasswd"
  auth.backend.htpasswd.userfile = "/usr/local/solusvm/.api-htpasswd"
  auth.require = ("/api/admin" => (
     "method"  => "basic",
     "realm"   => "",
     "require" => "valid-user"
  ))
  
url.access-deny             = ( "~", ".inc" )

$HTTP["url"] =~ "\.pdf$" {
  server.range-requests = "disable"
}

static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

fastcgi.server             = ( ".php" =>
                               ( "localhost" =>
                                 (
                                   "socket" => "/var/run/lighttpd/php-fastcgi.socket",
                                   "bin-path" => "/usr/bin/php-cgi"
                                 )
                               )
                            )

server.port                = 5353
server.pid-file            = "/var/run/lighttpd.pid"
server.username            = "solusvm"
server.groupname           = "solusvm"

 $SERVER["socket"] == "0.0.0.0:5656" {
 ssl.engine = "enable"
 ssl.pemfile = "/usr/local/solusvm/ssl/cert.pem"
 }

4.Create the password file:

htpasswd -c /usr/local/solusvm/.api-htpasswd SAMPLEUSERNAME
The htpasswd tool may not be installed on your server because it's part of httpd. There's plenty of online generators you can use. i.e http://www.htaccesstools.com/htpasswd-generator/

5.Restart lighttpd:

service lighttpd restart
  • No labels