How to use central policy to configure blacklist IPs for a reverse proxy?

book

Article ID: 166522

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

In reverse proxy scenarios, it may be required that specific public client IP addresses need to be denied from accessing the reverse proxy server.  While the proxy administrator can do this by logging on to the proxy, you may need to provide a method for network administrators, without providing them with access to the proxy's management console.

Resolution

The solution is to use Central Policy, with the policy file stored on a local FTP or HTTP server.  

The following policy file can be used as a framework, where a network administrator need only edit the list of offending IP addresses (or subnet) to have this apply.



<proxy>
client.address=banned_IPs force_deny

define subnet banned_ips
3.3.3.3
5.5.5.5
end


The policy file, (named however you choose) can be placed on an HTTP or FTP server in the environment.  The URI for this location is then placed in policy > policy files > install central file from > remote URL.  By default, the proxy will check this location every 15 minutes. 

If you would like to have this check done more frequently, there's an option in the CLI, in the configuration terminal, called 'policy poll-interval' that can be used to go down to as short a frame as 1 minute.