以前都是手工改httpd.conf来做的,这次无意发现用b httpd allow也行,但是这个命令只在945版本以上有效,其他的配了没效果。
You can restrict access to the Configuration utility by the source IP address. To do so, perform one of the following two procedures for the version of BIG-IP you are running:
BIG-IP versions 9.4.2 and later
Important: Currently, the bigpipe httpd allow command does not properly restrict access to the Configuration utility. F5 Networks Product Development is tracking this issue as CR95885. For more information, refer to SOL8518: The bigpipe httpd allow command does not restrict access to the Configuration utility.
To restrict access to the Configuration utility by the source IP address for BIG-IP versions 9.4.2 and later, perform the following procedure:
- Log in to the command line.
- Use the following bigpipe command syntax:
bigpipe httpd allow <IP_address / IP_address_range>For example:
- To replace the existing list of hosts that can connect to the Configuration utility with the hosts in the range, 172.27.0.0/255.255.0.0, you would type the following command:
bigpipe httpd allow 172.27.0.0/255.255.0.0
- To add the specific host address of 172.27.1.1 to the list of hosts that can currently connect to the Configuration utility, you would type the following command:
bigpipe httpd allow 172.27.1.1 add
- To replace the existing list of hosts that can connect to the Configuration utility with the hosts in the range, 172.27.0.0/255.255.0.0, you would type the following command:
- To save the configuration, type the following command:
bigpipe save
Removing an IP address from the httpd allow list
To remove an IP address from the httpd allow list for BIG-IP versions 9.4.2 and later, perform the following procedure:
- Log into the command line.
- Use the following bigpipe command syntax:
bigpipe httpd allow <IP_address / IP_address_range> delete
For example:
- To remove the existing list of hosts that can connect to the Configuration utility with the hosts in the range, 172.27.0.0/255.255.0.0, you would type the following command:
bigpipe httpd allow 172.27.0.0/255.255.0.0 delete
- To remove the specific host address of 172.27.1.1 from the list of hosts that can currently connect to the Configuration utility, you would type the following command:
bigpipe httpd allow 172.27.1.1 delete
- To remove the existing list of hosts that can connect to the Configuration utility with the hosts in the range, 172.27.0.0/255.255.0.0, you would type the following command:
- To save the configuration, type the following command:
bigpipe save
BIG-IP versions 9.0 through 9.4.1
To restrict access to the Configuration utility by the source IP address for BIG-IP versions 9.0 through 9.4.1, perform the following procedure:
Note: The following changes are not carried over if the system is upgraded or if a hotfix is applied that modifies the httpd.conf file. Additionally, the changes are not synchronized and must be performed on each system in a redundant pair.
- Edit the httpd.conf file located in the /config/httpd/conf/ directory.
- Locate the following entry in the httpd.conf file:
1<Location /tmui> Order Allow,Deny Allow from all AuthType Basic AuthName "BIG-IP" AuthPAM_Enabled on AuthPAM_CacheTimeout 86400 require valid-user</Location>
- Comment out the Allow from all line. The line should appear similar to the following example:
<!-- Allow from all -->
- Add the appropriate Allow statement for the source IP addresses that are allowed access, by following one of the examples below:
Note: You can use a combination of partial and single addresses, in addition to the examples provided.
-
To specify a single IP address, add the following line:
Allow from x.x.x.x
For example:
Allow from 10.10.1.20
-
To specify multiple single IP addresses, add the following line:
Allow from x.x.x.x y.y.y.y z.z.z.z
For example:
Allow from 10.10.1.20 20.20.1.20 30.30.1.30
-
To specify a partial IP address, add the following line:
Allow from x
For example:
Allow from 10
Note: The format for partial IP addresses is treated the same as a network netmask pair for subnet restriction. The applied subnet mask is assumed to be 255 each byte of the address specified.
-
To specify a network/netmask pair, add the following line:
Allow from a.b.c.d/x.x.x.x
For example:
Allow from 10.10.1.20/255.255.255.0
-
文章评论