Jump to content


Restricting access from a proxy.

proxy protection

  • Please log in to reply
2 replies to this topic

#1 briand

briand

    Advanced Member

  • Members
  • PipPipPip
  • 77 posts

Posted 26 September 2017 - 12:37 AM

I'm trying to restrict access to certain depots when the Perforce server is accessed from a specific proxy.

I have dm.proxy.protects set to 1:

> p4 configure show dm.proxy.protects
dm.proxy.protects:1 (default)

The protection rules are currently setup like this (user briand is a member of group trunk-eng):

> p4 protects -u briand //trunk/Makefile
list group * * -//...
write group trunk-eng * //trunk/...
list user * proxy-10.19.13.77 -//...

Unfortunately, when I access through the restricted proxy, I'm still getting my normal permissions. For example:

> p4 changes -m1 //trunk/Makefile
Change 54321 on 2017/08/08 by briand@briand-trunk 'Update Makefile'

Here is the corresponding log entry from the server:

2017/09/25 17:20:02 pid 5899 briand@briand-trunk 10.19.13.77/10.19.11.6 [p4/2017.1/LINUX26X86_64/1534792] 'user-changes -m1 //trunk/Makefile'

I see from the log line that the server is being accessed from the restricted proxy (10.19.13.77) and the line that I'm expecting to restrict the access is at the end of the p4 protects output. Can anyone see what I'm missing?

Thanks.
--
Brian

#2 p4rfong

p4rfong

    Advanced Member

  • Staff Moderators
  • 343 posts

Posted 03 October 2017 - 02:08 AM

Seems to work for me.
Please try:

list user * proxy-10.19/13.* -//...

and see if this restricts access when using the proxy.

#3 briand

briand

    Advanced Member

  • Members
  • PipPipPip
  • 77 posts

Posted 05 October 2017 - 12:14 AM

I contacted support, but didn't end up with any useful help.

After spending even more time going over the documentation again, it finally dawned on me what my problem was. I was trying to restrict access based on the IP address of the proxy, but Perforce only allows you to restrict access if the client is using a proxy (any proxy). Take a look at the IP address I listed in the protect table rules and match it up with the addresses in the log line. The protect table rules mentions the proxy's IP address, not the client's. If I changed the IP address in the protect table to be the client address, things worked as expected.

In the end, I concluded that the Perforce protection mechanism would not allow me to configure protections the way I needed, so I resorted to layers of firewall rules to mask the client IP address (setting it to a predetermined value). This allowed me to write protection rules to accomplish what I needed.
--
Brian





Also tagged with one or more of these keywords: proxy, protection

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users