cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Limit API Token to a specific IP Address

Mike shared this idea 4 years ago
Pre-Release

As a server administrator, I would like to limit each WHM API Token to a specific IP address. This would be a very useful security feature.

Best Answer
photo

Howdy folks!

I'm excited to share with you that we've added this feature to WHM's Manage API Tokens interface for v98!

You will be able to Add, Edit, and Remove IP addresses or IP ranges to any existing and new WHM API tokens. When editing or generating a new API token, you will find a new field "Whitelisted IPs," in which you can input up to 100 entries of IP addresses and IP ranges (in CIDR format). You can separate each entry with commas, new lines, or any whitespace character, so if you happen to have a big list, copy and paste will be your friend! On the List API Tokens interface, there is a new column in this table that will display the first 5 entries you've inputted into the "Whitelisted IPs" field, so you will be able to see your entries at a glance if you have many API tokens.

Limitations:

1.) The IP ranges feature is only available for WHM API tokens.

2.) Only IPv4 is supported.

3.) 100 entries is the limit for this feature.


Please let me know if you have questions or feedback about this. Happy hosting to you!

Comments (4)

photo
1

I agree this would be a good feature, but it would be great if this feature was opt-in / optional. We sometimes use the API from multiple IP's (including IPv4 & IPv6), so being forced to setup an IP whitelist while generating API tokens wouldn't be our preference. I understand it would be very useful or important for others though.

photo
1

Would the options to 1) not use a whitelist or 2) use a whitelist and provide one or multiple IP addresses to the whitelist satisfy your concern?

photo
1

Yes, having both options #1 and #2 would be perfect. Alternatively, if whitelisting is mandatory, then having an accept all / wildcard option like "*", "0.0.0.0" or "::0" would also be fine.

photo
2

Keeping it simple - as Kyle S suggests - an API key either has an attached list of permitted CIDR prefixes or operates on an allow-all if none are provided.

photo
photo
1

It's somewhat incredible this wasn't part of the original feature draft. One of the very reasons for being able to use multiple tokens is for increased security through a token for purpose, and restricting that to a specific IP address or subnet goes completely hand-in-hand.

Please consider adding this simple but essential feature.

photo
1

Correct, this should have been a feature implemented into the API Tokens Table from the start. As of right now, the only protection from compromised API keys against WHM Tokens has been third-party firewall ACL solutions. This method restricts and complicates reseller access and is overly complex or nearly impossible to implement for cPanel Tokens.

In regards to security, it is absolutely essential as you have stated. The fact that there has actually been past events from a subsidiary company in which the API tokens for connected servers were exposed through non-sanitized input (a juvenile mistake) adds a significant amount of weight to the request. As cPanel has continued to ignore the security request for years to further restrict the API and has only provided an ineffective ACL restriction solution that they continue to hold in beta demonstrates their unwillingness to develop their product responsibly.

Such a feature combined with the existing ACL privilege permissions would help reduce administrative complexity on our company end, give us additional insight into expanded products where we don't have to compromise security for features as well as promoting confidence that a compromised key could be effectively controlled if released into the wild. Those reasons alone should mark this request as a high-priority development feature.

photo
photo
1

I dont understand why has not been implemented again... I think every admin want to give access just to their IPs to the API... so for each key created should be possible insert ips to whitelist....

photo
2

Howdy folks!

I'm excited to share with you that we've added this feature to WHM's Manage API Tokens interface for v98!

You will be able to Add, Edit, and Remove IP addresses or IP ranges to any existing and new WHM API tokens. When editing or generating a new API token, you will find a new field "Whitelisted IPs," in which you can input up to 100 entries of IP addresses and IP ranges (in CIDR format). You can separate each entry with commas, new lines, or any whitespace character, so if you happen to have a big list, copy and paste will be your friend! On the List API Tokens interface, there is a new column in this table that will display the first 5 entries you've inputted into the "Whitelisted IPs" field, so you will be able to see your entries at a glance if you have many API tokens.

Limitations:

1.) The IP ranges feature is only available for WHM API tokens.

2.) Only IPv4 is supported.

3.) 100 entries is the limit for this feature.


Please let me know if you have questions or feedback about this. Happy hosting to you!

photo
1

Very nice!!


Is there a reason why only IPv4 is supported? If IPv6 can be supported also then it would suit our needs well. Ideally this could be implemented prior to the v98 launch.

photo
1

Hi Kyle,

We made the decision to keep the scope to IPv4 at this time because the majority of our customers use IPv4. In order to serve the most individuals in the timeframe we had available, we were able to prioritize this work with that limited scope.

I do invite you and others to keep sharing feedback, especially about IPv6. Hearing more about how important IPv6 support is to your business will help the Product Development team make decisions to expand the product to fit your needs.

photo
1

2021 and features are still being deployed that don't support v6. And the world wonders why it's desperately short of v4 addresses. C'mon guys, this is a new feature and you've built it without basic IP standards support. There are v6-only services a plenty now, which means they can't use this feature. Yet more fuel to the "I'll adopt v6 when everyone else does" fire. Very disappointed.

photo
Leave a Comment
 
Attach a file