7 posts were split to a new topic: VPN UI implementation on NS8
I’m willing to learn, but i have to admit that i do not understand what to do
What i can do is providing a VPS for testing if needed and of course share what i have. I do own a domain so it would be possible to play around with DNS etc.
But as already stated it should be possible to block web services. Even wg-easy is providing a web interface wich is accessible from the world.
i checked this
and added to mariadb1.yml and wordpress1.yml the following after http to see if i get blocked:
middlewares:
test-ipallowlist:
ipAllowList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"
Unfortunately with no success.
I’m not sure if i have to restart the container, anyway a podman restart --all did not have any affect.
Ok i think i got this.
I successfully added “ipAllowlist” to several .yml in /home/traefik1/.config/state/configs
Please do not do this on a production system !!!
As example i will post here my
- mariadb1.yml to restrict access to phpmyadmin
http:
middlewares: <-- Add
pma-ipallowlist: <-- Add
ipAllowList: <-- Add
sourceRange: <-- Add
- "127.0.0.1/32" <-- Add, i'm not sure if this is needed
- "xxx.xxx.xxx.xxx" <-- Add, here you can add ip's to allow access
services:
mariadb1:
loadBalancer:
servers:
- url: http://127.0.0.1:20014
routers:
mariadb1-http:
rule: Path(`/phpmyadmin`) || PathPrefix(`/phpmyadmin/`)
middlewares: <-- Add
- pma-ipallowlist <-- Add
priority: '1'
entryPoints: http,https
service: mariadb1
mariadb1-https:
rule: Path(`/pma`) || PathPrefix(`/pma/`)
middlewares: <-- Add
- pma-ipallowlist <-- Add
priority: '1'
entryPoints: http,https
service: mariadb1
tls: {}
i added everything with “<-- Add” to the existing config.
Restart of container was not necessary.
- _api_server.yml to restrict access to cluster-admin
http:
middlewares: <-- Add
cluster-ipallowlist: <-- Add
ipAllowList: <-- Add
sourceRange: <-- Add
- "127.0.0.1/32" <-- Add, i'm not sure if this is needed
- "xxx.xxx.xxx.xxx" <-- Add, here you can add ip's to allow access
ApiServer-stripprefix:
stripPrefix:
forceSlash: 'false'
prefixes:
- /cluster-admin
ApiServerMw2:
redirectRegex:
regex: ^.*/cluster-admin$
replacement: /cluster-admin/
routers:
ApiServer-http:
entrypoints:
- http
middlewares:
- http2https-redirectscheme
rule: Path(`/cluster-admin`) || PathPrefix(`/cluster-admin/`)
service: ApiServer
priority: '100000'
ApiServer-https:
entrypoints:
- https
middlewares:
- cluster-ipallowlist <-- Add
- ApiServerMw2
- ApiServer-stripprefix
priority: '100000'
rule: Path(`/cluster-admin`) || PathPrefix(`/cluster-admin/`)
service: ApiServer
tls: {}
services:
ApiServer:
loadBalancer:
servers:
- url: http://127.0.0.1:9311
i added everything with “<-- Add” to the existing config.
Restart of container was not necessary.
As you can see the “<-- Add” are on different places.
It looks like the is no “one fit’s all” solution here, but i might be wrong.
The openldap1-amld.yml also has to modified different.
Directly after the last “middlewares:” add the following:
uadmin-ipallowlist:
ipAllowList:
sourceRange:
- "127.0.0.1/32"
- "xxx.xxx.xxx.xxx"
Then look for “middlewares:” in “openldap1-amld-http:” and “openldap1-amld-https:”.
Add “- uadmin-ipallowlist” as first entry.
It seems that “ipAllowList” can be applied for all .yml files where you want to restrict access.
Can someone confirm that this is the right way to do it ?
Another thing is that i don’t believe this will survive update’s, am i right ?
Lastly, in my opinion, it would be nice to have something like this in the cluster-admin gui.
Even when i run ns8 in LAN only, it should be possible to restrict access to certain web services, again this is my opinion.
replace /home/traefik1/.config/state/configs/_api_server.yml
with this (of course testing) and what is not a private IP is out
http:
middlewares:
ApiServer-stripprefix:
stripPrefix:
forceSlash: 'false'
prefixes:
- /cluster-admin
ApiServerMw2:
redirectRegex:
regex: ^.*/cluster-admin$
replacement: /cluster-admin/
IPWhitelist:
ipWhiteList:
sourceRange:
- 10.0.0.0/8 # Add your private IP ranges here
- 172.16.0.0/12
- 192.168.0.0/16
routers:
ApiServer-http:
entrypoints:
- http
middlewares:
- http2https-redirectscheme
- IPWhitelist
rule: Path(`/cluster-admin`) || PathPrefix(`/cluster-admin/`)
service: ApiServer
priority: '100000'
ApiServer-https:
entrypoints:
- https
middlewares:
- ApiServerMw2
- ApiServer-stripprefix
- IPWhitelist
priority: '100000'
rule: Path(`/cluster-admin`) || PathPrefix(`/cluster-admin/`)
service: ApiServer
tls: {}
services:
ApiServer:
loadBalancer:
servers:
- url: http://127.0.0.1:9311
this file is creating during the create-module action so it should not be generated again except module restoration or module clone
It works
I did not change anything.
Access from external (no vpn) to cluster-admin is “Forbidden”.
As soon as i start my wireguard tunnel on the client (local ip: 10.8.0.2/24) i can access cluster-admin.
One question, shouldn’t it be ipAllowList ?
Yes it should
@stephdl how “simple” is it to include this in the web interface.
- Enable/Disable with ipWhitelist for cluster admin
- for any other App I have built or that has been built into Ns8
Could an Implementation within clusterAdmin Ui, be configured to allow selecting the installed App and applying the given config, even if its manually entering the pod name
a bit more complicated because it is a static file, no logic to rewrite it on the fly
the logic to be a file generated by an action, it is a matter to add this condition to set-route
however the way for the few weeks/months is no more new code but a massive bug hunt
lets speak of it later