Transfer authorization based on client IP address

by Serban Simu

Description

As of version 2.6 of Aspera Enterprise Server, Connect Server and Point to Point, it is possible to allow or deny transfers based on the connecting client's IP address. This feature was implemented via the FASP™ external authorization facility, and can be configured in aspera.conf. In a future release users will be able to configure this in the GUI.

As with most Aspera configurations, you can enable the authorization based on client IP as a global, per group, or per user setting. As you are most likely setting an IP restriction per user, the user section of aspera.conf is most likely going to be used. The client IP based allow/deny restriction can be set separately for inbound and outbound transfers.

Configuration

You configure authorization by IP address by editing aspera.conf, the configuration file which may be found at:

  • Linux: /opt/aspera/etc
  • Windows: C:\Program Files (x86)/Aspera/<product name>/etc (replace <product name> with your installed product)
  • Mac: /Library/Aspera/etc

You can create an authorization rule with the value tag which takes on the peer_ip attribute:

<in>
<value peer_ip="ip_address">allow/deny</value>
</in>
<out>
<value peer_ip="ip_address">allow/deny</value>
</out>

The value itself can either be allow or deny based on whether you want to allow or deny transfers from this IP address. You can specify the IP address as the host IP or subnet IP via CIDR notation (like 10.0.0.0/16).

These tags are nested within an <in> section if they apply to client uploads, or within an <out> section if they apply to client downloads. Within each section you can list as many value tags as needed; they are interpreted in order and the first one that matches is used. Subsequent entries are ignored.

Examples

To configure the authorization on a global level, you would place your tags in the sections as shown below. In the following example client uploads are only allowed from the IP 10.3.200.8 or the subnet 10.0.0.0/16:

...
<default>
<authorization>
<transfer>
<in>
<value peer_ip="10.3.200.8">allow</value>
<value peer_ip="10.0.0.0/16">allow</value>
<value>deny</value>
</in>
</transfer>
</authorization>
</default>
...

To configure the authorization for a particular user, follow the example below.

...
<user>
<name>janedoe</name>
<authorization>
    <transfer>
      <in>
       <value peer_ip="10.3.200.8">deny</value>
     </in>
    </transfer>
</authorization>
</user>
...

After making the changes to aspera.conf, ensure you have edited it correctly by running a validation command to check for errors, which is one of the following depending on your system:

Mac OS X
/Library/Aspera/bin/asuserdata -v

Windows
"C:\Program Files (x86)\Aspera\Enterprise Server\bin\asuserdata" -v
 
Linux
/opt/aspera/bin/asuserdata -v
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk