Firewall
OpenVPMS includes a firewall that can limit access to specific IP addresses.
This should be enabled where OpenVPMS is deployed on a publically accessible host with no or limited firewall support of its own.
The firewall only applies to OpenVPMS. It doen't restrict access to other applications that may be deployed on the web container.
If the web container is behind a proxy or load balancer, it needs to be configured to pass the client IP addresses through, otherwise OpenVPMS will see clients as coming from the proxy host. See Tomcat Configuration below, for instructions on how to do this for Tomcat.
The firewall is configured via Administration - System - Settings.
It provides the following options:
|
Determines where users can connect from. One of:
|
|
When selected, users connecting from outside the firewall will be required to use multifactor authentication. This only applies when:
|
|
The IP addresses that users can connect from. Only applicable if Access Type is not Unrestricted. An address may be specified as a single IP address (e.g. 192.12.33.3), or a range of addresses specified using CIDR notation e.g. (192.168.10.0/24). |
Use:
|
If OpenVPMS is already behind a firewall.
|
|
To restrict access to the listed IP addresses.
|
|
To restrict access to the listed IP addresses, but allow specific users to connect from anywhere. This can be used if access should be restricted to particular addresses, but:
Note that the Connect From Anywhere flag is only checked on login. To revoke access to a logged in user, untick their Connect From Anywhere flag and use Terminate Session to forcibly log them out. |
The firewall can also be configured from the command line using the toolbox firewall command.
It can take up to 5 minutes for changes to take effect.
Multifactor authentication
Multifactor authentication can be via a one-time code sent to the user's preferred email address, or using a Time-based one-time password (TOTP). The latter can be more convenient, as the user simply enters a code displayed on their mobile device.
Time-based one-time passwords are configured per-user via the TOTP Authentication button in user preferences. This displays a QR code that can be scanned into apps that support TOTP.
TOTP apps
The following apps can be used to manage Time-based one-time passwords:
A more comprehensive list can be found at this Wikipedia page.
Tomcat Configuration
If OpenVPMS is hosted behind a proxy or load balancer, Tomcat needs to be configured to pass the correct client IP addresses through.
This is done by adding a RemoteIpValve valve to Tomcat's server.xml. E.g., if the proxy/load balancer passes the address in the X-Forwarded-For header, it is simply a matter of adding the element to the <Host>.
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
protocolHeader="x-forwarded-proto"
protocolHeaderHttpsValue="https"/>
</Host>
