NethServer Version: 8
Hello Developers,
I am now actually so far with my NS 8 installation that I can send my beloved NS 7 into well-deserved retirement.
However, it is giving me a headache that the administration page of NS 8 is also accessible via the Internet when I open port 80 or 443. With NS 7, access was regulated via port 980 or port 9090 (Cockpit). Is there a similar option for NS 8 without having to make major changes to the existing infrastructure?
Regards…
Uwe
This solution is obsolete. See comment:
There can be many ways to achieve it.
The first one I’d try is restricting the /cluster-admin HTTP path to some trusted IPs. For example, the list of loopback and private networks.
Enter the environment of traefik1
runagent -m traefik1
Create a file, _custom_middlewares.yml with the following contents:
http:
middlewares:
MwTrustedNetworks:
IPAllowList:
sourceRange:
- "127.0.0.0/8"
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
Edit _api_server.yml, and add the custom middleware to the builtin cluster-admin HTTP router:
diff --git a/_api_server.yml.orig b/_api_server.yml
index 5628491..0160ece 100644
--- a/_api_server.yml.orig
+++ b/_api_server.yml
@@ -22,6 +22,7 @@ http:
entrypoints:
- https
middlewares:
+ - MwTrustedNetworks
- ApiServerMw2
- ApiServer-stripprefix
priority: '100000'
More information Traefik HTTP Middlewares IPAllowList - Traefik
The custom middleware can be referenced from other HTTP routes as wanted.
Thank you @davidep. I will try it.
I did this also with several .yml files, e.g. in mariadb1.yml to restrict access to /phpmyadmin.
It works. Thanks for that.
Is this surviving updates ?
I don’t know: tests are welcome!
It’s probably a little bit tricky. Somehow I must be on the wrong path.
Can someone give me the individual commands?
Login as traefik1:
runagent -m traefik1
Create file _custom_middlewares.ym using nano:
nano configs/_custom_middlewares.yml
Edit the file _api_server.yml using nano:
nano configs/_api_server.yml
Now it works. Thank you very much.
Hi @davidep
Apparently the last core update overwrites the _api_server.yml file again. You simply have to reset the entry - MwTrustedNetworks. Unattractive, but doable.
Have fun…
Uwe
Hi @davidep and Friends of Nethserver,
after the current core update, the settings in _api_server.yml file are no longer overwritten. It is no longer necessary to make a subsequent correction.
Regards…
Uwe
Probably because this round Traefik isn’t part of the update. I suppose the _api_server.yml configuration is overwritten by Traefik module updates.
May be… 
@davidep is there any way to make this change persistent or even configurable in the UI?
It is not very favorable to have to re-check this with every core update, probability is much too high that it gets forgotten and opens up the access silently again.
Fortunately, this does not happen after every core update. It always happens when Traefik is updated at the same time.
It’s 2025, March 21
New Installation NS8 on March 19, Rocky 9.5 + Core Update (traefik 3.3.4)
On March 19 or 20 there was an update to traefik 3.3.4,
now configs/_api_server.yml does not exist.
Where should I add “- MwTrustedNetworks” now?
I searched for ‘ApiServer-https’ but did just get:
[traefik1@mail2 state]$ grep -rnwi /home/traefik1 -e 'ApiServer-https'
/home/traefik1/.config/bin/redis2yml:93:routers.pop('ApiServer-https', None)
In my older Installation I get:
[traefik1@ns8-test state]$ grep -rnwi /home/traefik1 -e 'ApiServer-https'
/home/traefik1/.config/configs/_api_server.yml:21: ApiServer-https:
/home/traefik1/actions/create-module/50create:21: ApiServer-https:
Since Traefik 3 the _api_server.yml file was migrated to the cluster-admin route: you can limit access to some IP/Networks from the HTTP routes page.
Read carefully the manual note about recovering from lockouts
Thank you,
so I added networks to “Restric access from” and luckily did not lock me out 
127.0.0.0/8
10.0.0.0/8
192.168.1.0/24 (local LAN)
just saw there’s a typo in the UI, should probably read “Restrict”
Regards
Uwe