2

I would like to make only my Bluemix app to access my Secure Gateway client. I used "Access control list" such as the following command.

acl allow sampleapp.mybluemix.net

  • sampleapp.mybluemix.net is my Bluemix app's FQDN

But I got error HTTP503 when I executed trx. The Secure Gateway Client's log was "Connection #X to destination X.X.X.X:XXX refused due to Access Control List"

enter image description here

Which hostname:port of Bluemix app should be set in acl of Secure Gateway Client ?

Secure Gateway client interactive command-line interface https://www.ng.bluemix.net/docs/services/SecureGateway/sg_022.html#sg_009

shimac-jp
  • 233
  • 3
  • 11

1 Answers1

1

The hostname to use on the access control list (ACL) allow should be the actual hostname of where the on-premises application is running, not what is trying to access it. Remember the ACL if allow is mutually exclusive, so it will prevent all other connections that are not part of an allow ACL.

doktoroblivion
  • 428
  • 3
  • 14
  • Thank you for your answer. How can I know the hostname:port of my Bluemix application (Liberty or Node.js) is actually running? I can't find it in Bluemix application console. – shimac-jp Jun 27 '15 at 07:48
  • For nodejs the application could use the following: `var os = require("os");` `os.hostname();` – doktoroblivion Jun 28 '15 at 21:18
  • I would first try and use the hostname you got back from creating the gateway destination. This can be found in the destination view in the console. – doktoroblivion Jun 28 '15 at 21:28
  • Per our conversation, add the two hostnames:port to the ACL and your access should work while restricting access to all other clients. – doktoroblivion Jun 29 '15 at 16:01
  • Secure Gateway Client ACL seems only to prohibit the backend resources which SG Client access, not the source applications which access the destinations. I may not recognized corretly the ACL. So I close this Q&A. – shimac-jp Jul 09 '15 at 06:55
  • shimac, you are correct, ACL control access to the on-premises resources via IP:port, acl allow is mutually exclusive, acl deny is specific to one setting. We are coming out soon with private endpoint which will close the access on the cloud side. Hope this helps. – doktoroblivion Jul 10 '15 at 14:59