Experimental Physics and Industrial Control System
|
Hi Simon, we bind all our IOCs to localhost on each host and then use a CA gateway on the same machine to control any required access from the main network to loopback
Regards,
Freddie
From: Tech-talk <tech-talk-bounces at aps.anl.gov>
On Behalf Of Simon Rose via Tech-talk
Sent: 13 June 2022 19:45
To: ralph.lange <ralph.lange at gmx.de>; EPICS Tech Talk <tech-talk at aps.anl.gov>
Subject: Re: Allowing localhost in access control files
Hello Ralph -
That might work on at least one of our hosts, but some of them will also want to be able to be accessed from outside, unfortunately.
S.
Is it possible to set up an access security file to allow only CA/PVA requests from the same host as the IOC? One option of course is to use asSetSubstitutions
and some variable, but it seems like there should be a more intrinsic way of doing this.
I have attempted using the name “localhost”, asCheckClientIP set to 1, even using 127.0.0.1 as a member of the host access group, but none of these seemed to
work.
My two main questions:
·
Is there a better or more canonical way of doing this?
·
Perhaps more importantly--particularly if we have to use environment variables and substitutions--is there some danger or pitfall about this that we should be careful about?
If the only aim is to restrict access to clients on the local machine (e.g. for test environments to not affect other hosts), I would bind the IOC's server to localhost and not use AS.
This email and any attachments are intended solely for the use of the named recipients. If you are not the intended recipient you must not use, disclose, copy or distribute this email or any of its attachments and should notify the sender immediately and delete this email from your system. UK Research and Innovation (UKRI) has taken every reasonable precaution to minimise risk of this email or any attachments containing viruses or malware but the recipient should carry out its own virus and malware checks before opening the attachments. UKRI does not accept any liability for any losses or damages which the recipient may sustain due to presence of any viruses.
|
- References:
- Allowing localhost in access control files Simon Rose via Tech-talk
- Re: Allowing localhost in access control files Ralph Lange via Tech-talk
- Re: Allowing localhost in access control files Simon Rose via Tech-talk
- Navigate by Date:
- Prev:
Re: win10 and base7.0.6.1 Ralph Lange via Tech-talk
- Next:
Re: Problem with NTP configuration Matt Rippa via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
<2022>
2023
2024
- Navigate by Thread:
- Prev:
Re: Allowing localhost in access control files Simon Rose via Tech-talk
- Next:
Re: Allowing localhost in access control files Ralph Lange via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
<2022>
2023
2024
|
ANJ, 14 Sep 2022 |
·
Home
·
News
·
About
·
Base
·
Modules
·
Extensions
·
Distributions
·
Download
·
·
Search
·
EPICS V4
·
IRMIS
·
Talk
·
Bugs
·
Documents
·
Links
·
Licensing
·
|