Jump to content

Restricting access from a proxy.

proxy protection

  • Please log in to reply
2 replies to this topic

#1 briand


    Advanced Member

  • Members
  • PipPipPip
  • 77 posts

Posted 26 September 2017 - 12:37 AM

I'm trying to restrict access to certain depots when the Perforce server is accessed from a specific proxy.

I have dm.proxy.protects set to 1:

> p4 configure show dm.proxy.protects
dm.proxy.protects:1 (default)

The protection rules are currently setup like this (user briand is a member of group trunk-eng):

> p4 protects -u briand //trunk/Makefile
list group * * -//...
write group trunk-eng * //trunk/...
list user * proxy- -//...

Unfortunately, when I access through the restricted proxy, I'm still getting my normal permissions. For example:

> p4 changes -m1 //trunk/Makefile
Change 54321 on 2017/08/08 by briand@briand-trunk 'Update Makefile'

Here is the corresponding log entry from the server:

2017/09/25 17:20:02 pid 5899 briand@briand-trunk [p4/2017.1/LINUX26X86_64/1534792] 'user-changes -m1 //trunk/Makefile'

I see from the log line that the server is being accessed from the restricted proxy ( and the line that I'm expecting to restrict the access is at the end of the p4 protects output. Can anyone see what I'm missing?


#2 p4rfong


    Advanced Member

  • Staff Moderators
  • 343 posts

Posted 03 October 2017 - 02:08 AM

Seems to work for me.
Please try:

list user * proxy-10.19/13.* -//...

and see if this restricts access when using the proxy.

#3 briand


    Advanced Member

  • Members
  • PipPipPip
  • 77 posts

Posted 05 October 2017 - 12:14 AM

I contacted support, but didn't end up with any useful help.

After spending even more time going over the documentation again, it finally dawned on me what my problem was. I was trying to restrict access based on the IP address of the proxy, but Perforce only allows you to restrict access if the client is using a proxy (any proxy). Take a look at the IP address I listed in the protect table rules and match it up with the addresses in the log line. The protect table rules mentions the proxy's IP address, not the client's. If I changed the IP address in the protect table to be the client address, things worked as expected.

In the end, I concluded that the Perforce protection mechanism would not allow me to configure protections the way I needed, so I resorted to layers of firewall rules to mask the client IP address (setting it to a predetermined value). This allowed me to write protection rules to accomplish what I needed.

Also tagged with one or more of these keywords: proxy, protection

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users