Access Filter plugin
The AccessFilter plugin makes it possible for you to control which IP addresses can access your GpsGate Server.
This guide explains how you can install and use the AccessFilter plugin on GpsGate Server. After installing this plugin, you will be able to restrict access to your GpsGate Server by defining access filters. This can be very useful if you want administrators or devices to be able to access GpsGate Server only from trusted IP addresses.
Filters you create are application and role-specific; so you can create different access filters for different roles in each application. This guide will take you through the steps to perform these operations.
Installation
- Install the AccessFilter plugin.
- Navigate to the Security tab in Site Admin, you can access the plugin page by clicking Access Filters link from the side menu.
If you had already installed the AccessFilter plugin, make sure you have all your plugins up-to-date.
Creating Access Filter Items
Once you get to the AccessFilter plugin page for the first time, the page will tell you that there aren’t any access filter items defined. You can click on the Create New button in the top right of the screen to get to the form, where you can create access filter items in two steps.
Step 1: Creating Access Filter Chain
A chain represents an access filter item which can be assigned to a role in an application. A chain is formed of rules, and it requires a unique name to be identified.
Here, you have to fill in:
- Name: A unique name to identify the access filter chain.
- Description (Optional): Description for this chain.
- Enabled: Whether this chain is active or not. Disabled access filter chains will be ignored.
After you fill in the fields and click on Save, you are able to proceed with defining access filter rules.
Step 2: Creating Access Filter Rules
A rule is a part of an access filter chain, it specifies which address or address group should be allowed/denied. You can define multiple rules in one chain, and they will be executed in the order they are listed.
When you click “Add New Rule” button, the form below will be displayed.
Here, you have to fill in:
- Action: Specifies if this rule should Allow or Deny specified address or address group.
- Scope: Type of address or address group.
- Address values: The required input in this section changes depending on your choice of Scope in the previous step.
- For IP Address, you have to specify a single IP address. (Example: 192.168.0.112)
- For Subnet, you have to specify a base IP address and a subnet mask. (Example: 192.168.0.0/24)
- For the IP Address Range, you have to specify the start and the end of the IP range. (Example: From [192.168.0.0] - To [192.168.0.255])
- Enabled: Whether this rule is active or not. Disabled rules will be ignored.
- Note (Optional): Description of this rule.
When you click “Save”, the rule will be recorded as the last rule in the chain. However, you can modify and reorder rules as you wish in the rules list, as seen below:
By navigating to the access filter main page, you are also able to modify and reorder access filter chain items.
Assigning Access Filter Chains To Roles
Now that you created access filter chains and defined access rules under them, you can specify what roles the access filter should apply to. In order to do that, you should follow the steps below:
- In Site Admin, go to the Applications tab. Click Search and Manage.
- Click the application for which you want to enable access filter chains.
- Scroll down to the Privileges and Roles section. Find Plugins node in the privilege tree.
- Under Plugins, expand AccessFilter and then _AccessFilter privilege nodes.
- Check/Uncheck the access filter chains you want to enable/disable for this application.
- Click “Save”. Now the application has the selected access filter items enabled, and they are assigned to _Administratorrole automatically.
- Log in to Vehicle Tracker Application. From the main menu, go to “Admin” ⇒ “Roles”.
- In the Roles window, click on the role you want to assign access filter items to.
- Under Privileges, you can assign access filter items to this role in the same way you did for the application.
How It Works
When a user tries to connect to GpsGate Server, the access filter mechanism first checks what role(s) the user has. The next step is to iterate through all the access filter chains assigned to user’s role(s). The first rule which covers the user’s IP address is applied. Therefore, the access is allowed/denied depending on what the first matching rule instructs. If there is no match, the access is denied by default.
Please note that access filter items will be taken into account right after you assign them to a role. Also, if you don’t enable _AccessFilter privilege for a role, the access filter mechanism will ignore this role, which means that the particular role will always be allowed.
Example Scenarios
The functionality provided by this plugin can be very useful when you want to restrict access to administrators and devices which try to connect to GpsGate Server.
Scenario 1: Restrict access to SiteAdmin
If you want the administrator(s) to be able to log in to SiteAdmin only from a trusted IP address, use the AccessFilter plugin to define a chain that includes only one rule:
After this step, you need to enable the access filter chain for the Site Administration Application application itself. To do that:
- Go to the Applications tab and click “Search and Manage” from the menu to the left.
- Click on the “Site Administration Application” to edit.
- Scroll down to the Privileges and Roles section. Find Plugins node in the privilege tree.
- Enable the chain by checking it, then click “Save.”
Once this access filter chain is enabled for Site Administration Application, only clients with IP address 66.249.64.167 will be allowed to access the SiteAdmin.
Scenario 2: Restrict access to devices
Think of a case where you want the tracking devices to be able to send data from a specific IP address range. Also, you want to block one specific IP address in that range.
What you can do here is to define a chain that has two rules (please note the order):
To enable this access filter chain, please make sure to follow the steps in the Assigning Access Filter Chains To Roles section. Once this chain is enabled for _Unit role, devices with IP address: 66.249.64.167 will be denied. All the other devices within IP Range: 66.249.64.0 – 66.249.64.255 will be allowed.
Important Notes
- Access from the host machine (i.e. localhost) is always allowed, regardless of the access filters defined.
- Access filters are applied only to connections that use HTTP, TCP, or UDP.
- When you enable an access filter chain for an application, it is assigned to the _Administrator role automatically.