In the restmap.conf file, you can specify acceptFrom to limit access to Splunk REST API endpoints to specific IPs. By default (and if unspecified), acceptFrom is * allowing access from all IP addresses. Is there a way to change this default for all Splunk REST API endpoints? I'd like to more tightly control access to these APIs, and defaulting open requires more effort to lockdown and makes it more likely to result in unintentionally leaving an API open. Thanks.
Thank you for the suggestion. That was a good idea. I tested it out, but unfortunately it doesn't work for my specific situation. Using acceptFrom in server.conf for [httpServer], I was able to successfully limit what IPs could use the REST API. But when I used restmap.conf to try to override the fail closed policy for a specific API endpoint with acceptFrom=*, it still rejected connections from non-whitelisted IP addresses. I ultimately need something that allows me to override that more restrictive default policy with a less restrictive but endpoint-specific policy.
Thanks for the idea.
Ah, yeah, that won't possible with that approach.
You could try and put
acceptFrom = whatever
in the restmap.conf, and just override in your own use case with a more specific stanza. You could also try putting that in a [default] stanza instead of global.
Its not explicitly mentioned in the doc, but sometimes things still work.
If you try this, please let us know if it worked!
I had previously tried [general], [.], [*], and . None of those worked. I hadn't thought of global or default, good idea. Global was a no go, but [default] worked. Great call on that and thank you!
Credit to xpac for this answer. He suggested trying adding the desired acceptFrom under [default] in restmap.conf. This was undocumented but worked.
So to make all REST API endpoints disabled by default, add the following stanza to restmap.conf:
To enable specific REST API endpoints, add the acceptFrom underneath that endpoint's stanza in restmap.conf and set it to whatever IP addresses you want to allow (or * for any IP address).
Thanks again xpac!