Back to top
Home / Knox E-FOTA / Knox E-FOTA knowledge base articles /

Restrict access to Knox E-FOTA On-Premises

Last updated December 15th, 2023

Categories:

Firmware

Environment

  • Knox E-FOTA On-Premises
  • HAProxy service
  • Linux terminal

Overview

With HAProxy, IT admins can restrict access to the Knox E-FOTA On-Premises console by creating an allowlist of IP addresses.

domain-based access environment type C

This HAProxy configuration assumes that the Knox E-FOTA On-Premises server and the IT admin’s computer are located in the same network range.

How to configure the HAProxy allowlist

To configure the HAProxy allowlist:

  1. Locate the HAProxy configuration file. By default, the path to the config file is /dfm/haproxy/config/haproxy.cfg.

  2. Open the configuration file and add the following lines under frontend fe_web. For this section, 123.123.123.123 is used as a replacement value for your IP address.

    acl is-allowed-ip src 123.123.123.123
acl is-admin path_beg -i /admin
http-request deny if !is-allowed-ip is-admin

    configure allowlist ip

  3. Restart the HAProxy service in the command line:

    dfm restart dfm-proxy
podman ps -a

After making these changes, any attempts to access the Knox E-FOTA On-Premises console with an IP address that is not allowed returns a 403 error code.

If access is blocked for an IP address included in the allowlist, the IP address of the target computer might be different from the address included in the allowlist.

To resolve this issue:

  1. Open the HAProxy configuration file.

  2. Comment out the following lines:

    # option dontlog-normal
...
# acl is-allowed-ip src <ip_address>
# acl is-admin path_beg -i /admin
# http-request deny if !is-allowed-ip is-admin

  3. Restart the HAProxy service:

    dfm restart dfm-proxy
podman ps -a

  4. Before accessing the E-FOTA On-Premises console, turn on log monitoring in the command line:

    podman logs --tail 30 -f dfm-proxy

  5. Access the Knox E-FOTA On-Premises console. The IP address of your device is shown in the log.

  6. Uncomment the original allowlist commands, and include the updated IP address.

  7. Restart the HAProxy service:

    dfm restart dfm-proxy

  8. Test access to the console with an IP address that is not allowed. If there is a 403 error code, the configuration is working.

  9. In the configuration file, uncomment the following line:

    option dontlog-normal

  10. Restart the HAProxy service:

    dfm restart dfm-proxy

On this page

Is this page helpful?