BBB Api Security - IP address restriction

[Mesut ÇAKIR]

Hello there,

Api seems to be unsafe in the BBB. I think api should not be open to outside calls. My solution for this is to provide access over only certain server groups with an IP address restriction.

I couldn't find a document, blog, tutorial for IP-based restriction of calls on https://bbb.example.com/bigbluebutton/api.

If anyone knows, with the request of referrals.

[Jibon Costa]

BBB handling the API very secure way. To pass the security need to follow strict way. As long as your salt is secure & secret, I don't think it's should be easy for anyone to access. I don't think it's necessary to do IP based restriction.

[basisbit]

For attack surface reduction, you can use nginx to only allow certain IP addresses to access the BBB API by changing the nginx config. See https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-proxied-tcp/

Limiting exposure of publicly accessible interfaces is always desirable and will make it harder for attackers to break your system, especially because BBB API access is only limited by the API secret+salt.

Once you got this to work for your system, please consider creating a pull request at https://github.com/bigbluebutton/bigbluebutton.github.io/ to add this to the public bbb documentation.

Best regards,

basisbit

[sd...@distancelearning.cloud]

Blocking create calls, getRecordings call to whitelist front ends is easier of the tasks. Bbb-web could manage this.

 

Issue is the join calls from all the user web clients come from unique ip addresses.

 

Regards,

--
You received this message because you are subscribed to the Google Groups "BigBlueButton-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/19190d81-d90e-461b-957a-0d3182198576n%40googlegroups.com.

[sd...@distancelearning.cloud]

https://serverfault.com/questions/254430/nginx-block-ip-based-on-uri-in-one-location

 

so hacks to block on nginx paths 

To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/01ff01d64f04%24315adc30%2494109490%24%40distancelearning.cloud.