WEBVTT

00:00.260 --> 00:02.750
Welcome back to the Knowledge Portal Video series.

00:03.260 --> 00:10.220
Today we are going to talk about one more way in which you can have a stringent access control on your

00:10.220 --> 00:13.820
files in your web server with the help of whitelisting.

00:14.450 --> 00:16.610
Let's look into how it works.

00:18.370 --> 00:24.130
Now, essentially, if you have a web server on the Internet, the chances are that you might be getting

00:24.130 --> 00:26.410
visitors from all over the world.

00:27.370 --> 00:33.640
Now let's assume this is a example.com web server and you have a slash admin portal.

00:34.210 --> 00:40.770
Now what you want is you do not want everyone to access the slash admin page.

00:40.780 --> 00:46.480
You only might want to allow only certain IP to access that particular page.

00:46.930 --> 00:50.710
Now the way in which you can do that is through whitelisting.

00:51.490 --> 00:56.270
Now, taking this example, there are three clients over here.

00:56.290 --> 00:58.500
Each has a unique IP addresses.

00:58.510 --> 01:06.970
So as a web server, what you can do is you can allow access to a certain resource only if the client

01:06.970 --> 01:08.920
has a particular IP address.

01:09.700 --> 01:19.910
So if we say to a web server to only allow slash admin page to be accessible from 192 168, 10.5 and

01:19.910 --> 01:20.980
deny all.

01:20.990 --> 01:27.530
So essentially that means that only one computer can access the particular admin page and no one else.

01:28.490 --> 01:34.110
Now if you look into the syntax, it is a very simple way of doing it.

01:34.130 --> 01:37.280
So here the location for slash admin.

01:38.120 --> 01:45.020
In this we have allowed director where it is saying allow followed by the IP address and deny all.

01:45.560 --> 01:53.030
So essentially this is a very simple way to say only allow this particular IP address to access the

01:53.030 --> 01:56.360
admin page and deny everyone else.

01:58.070 --> 02:05.090
Now this is a very simple whitelisting based approach, which is very, very helpful.

02:05.120 --> 02:08.540
Let's look into how we can implement it on Nginx.

02:09.170 --> 02:12.920
So I'll minimize this and I'll go to our server.

02:13.550 --> 02:21.850
Now let's go to our favorite web conf and essentially I have a slash admin page over here.

02:22.390 --> 02:24.760
So let's define a root location.

02:24.760 --> 02:29.740
So root will be var dub dub dub website's example.

02:33.030 --> 02:38.430
The index will be index dot HTML and let's include allow director.

02:39.570 --> 02:41.830
Allow 127001.

02:42.360 --> 02:44.880
And I'll specify denial.

02:45.690 --> 02:52.950
Now what this essentially means that only allow localhost to open slash admin page and deny everyone

02:52.950 --> 02:53.460
else.

02:54.060 --> 02:55.350
I'll save this once.

02:55.380 --> 02:58.200
Let me test the configuration.

02:58.200 --> 03:02.370
It is successful and let's reload the nginx.

03:04.160 --> 03:13.490
Now if I do a call on example.com slash admin, essentially nginx will give me a 403 forbidden because

03:13.490 --> 03:16.280
I'm not allowed to access this particular resource.

03:17.420 --> 03:23.750
Now let's allow our IP address as well in the Nginx configuration.

03:23.750 --> 03:25.760
So I'll copy the IP address over here.

03:25.850 --> 03:36.410
I'll open the Nginx configuration and in the allow section, let me specify the IP address once again.

03:38.390 --> 03:43.010
So essentially now we are allowing our IP address over here.

03:43.370 --> 03:45.770
So if I do Nginx reload.

03:47.720 --> 03:48.350
Okay.

03:48.440 --> 03:51.320
Now let let's do a curl again.

03:51.320 --> 04:01.820
So I'll do a curl example.com slash admin and essentially here you see it is showing the secret admin

04:01.820 --> 04:02.450
page.

04:02.480 --> 04:07.550
This is the reason because our IP address is in the whitelist.

04:08.960 --> 04:16.430
Now one more thing that I wanted to show over here is if there are a lot of IP addresses, then essentially

04:16.430 --> 04:21.410
this is not a very optimal way of doing things.

04:21.530 --> 04:30.380
So what we can do over here is I'll take these two directives, I'll copy it and I'll create a new file,

04:30.800 --> 04:35.750
say whitelist, and I'll paste the two directives over here.

04:39.460 --> 04:40.690
Let me save this.

04:40.900 --> 04:48.370
Let's go to the web conf and essentially what I'll do is.

04:50.540 --> 04:57.530
Instead of specifying a directive all the time, I'll just include use the include directive followed

04:57.530 --> 04:59.120
by the path.

04:59.800 --> 05:02.240
The Conf.d White List.

05:05.760 --> 05:12.640
So what this basically will do is it will take the allow directives from this particular file.

05:12.690 --> 05:18.720
So if I save this and let's reload Nginx.

05:19.830 --> 05:25.080
Now, essentially what has happened is Nginx has opened this particular file and it has taken the IP

05:25.110 --> 05:28.420
addresses from the particular file itself.

05:28.440 --> 05:32.070
This is a very proper way of doing things.

05:32.070 --> 05:38.400
Specifically if you have like 1015 IP addresses that you want to mention and mentioning them in the

05:38.400 --> 05:41.880
configuration file is not a very optimal way of doing things.

05:42.300 --> 05:44.700
So this is it about whitelisting?

05:44.700 --> 05:51.450
This is a short video, but whitelisting is something that proves to be very useful in the production

05:51.450 --> 05:52.410
environment.

05:53.340 --> 05:54.270
This is it.

05:54.270 --> 05:59.040
I hope this video has been useful for you and I'd like to thank you for viewing.