NethServer Version: 8
Hello Developers,
I am now actually so far with my NS 8 installation that I can send my beloved NS 7 into well-deserved retirement.
However, it is giving me a headache that the administration page of NS 8 is also accessible via the Internet when I open port 80 or 443. With NS 7, access was regulated via port 980 or port 9090 (Cockpit). Is there a similar option for NS 8 without having to make major changes to the existing infrastructure?
Regards…
Uwe
There can be many ways to achieve it.
The first one I’d try is restricting the /cluster-admin HTTP path to some trusted IPs. For example, the list of loopback and private networks.
Enter the environment of traefik1
runagent -m traefik1
Create a file, _custom_middlewares.yml with the following contents:
http:
middlewares:
MwTrustedNetworks:
IPAllowList:
sourceRange:
- "127.0.0.0/8"
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
Edit _api_server.yml, and add the custom middleware to the builtin cluster-admin HTTP router:
diff --git a/_api_server.yml.orig b/_api_server.yml
index 5628491..0160ece 100644
--- a/_api_server.yml.orig
+++ b/_api_server.yml
@@ -22,6 +22,7 @@ http:
entrypoints:
- https
middlewares:
+ - MwTrustedNetworks
- ApiServerMw2
- ApiServer-stripprefix
priority: '100000'
More information Traefik HTTP Middlewares IPAllowList - Traefik
The custom middleware can be referenced from other HTTP routes as wanted.
I did this also with several .yml files, e.g. in mariadb1.yml to restrict access to /phpmyadmin.
It works. Thanks for that.
Is this surviving updates ?
I don’t know: tests are welcome!
It’s probably a little bit tricky. Somehow I must be on the wrong path.
Can someone give me the individual commands?
Login as traefik1:
runagent -m traefik1
Create file _custom_middlewares.ym using nano:
nano configs/_custom_middlewares.yml
Edit the file _api_server.yml using nano:
nano configs/_api_server.yml
Now it works. Thank you very much.