How do I prevent the administration page from being accessible from the Internet?

NethServer Version: 8

Hello Developers,

I am now actually so far with my NS 8 installation that I can send my beloved NS 7 into well-deserved retirement.
However, it is giving me a headache that the administration page of NS 8 is also accessible via the Internet when I open port 80 or 443. With NS 7, access was regulated via port 980 or port 9090 (Cockpit). Is there a similar option for NS 8 without having to make major changes to the existing infrastructure?

Regards…

Uwe

2 Likes

There can be many ways to achieve it.

The first one I’d try is restricting the /cluster-admin HTTP path to some trusted IPs. For example, the list of loopback and private networks.

Enter the environment of traefik1

runagent -m traefik1

Create a file, _custom_middlewares.yml with the following contents:

http:
  middlewares:
    MwTrustedNetworks:
      IPAllowList:
        sourceRange:
          - "127.0.0.0/8"
          - "10.0.0.0/8"
          - "172.16.0.0/12"
          - "192.168.0.0/16"

Edit _api_server.yml, and add the custom middleware to the builtin cluster-admin HTTP router:

diff --git a/_api_server.yml.orig b/_api_server.yml
index 5628491..0160ece 100644
--- a/_api_server.yml.orig
+++ b/_api_server.yml
@@ -22,6 +22,7 @@ http:
       entrypoints:
       - https
       middlewares:
+      - MwTrustedNetworks
       - ApiServerMw2
       - ApiServer-stripprefix
       priority: '100000'

More information Traefik HTTP Middlewares IPAllowList - Traefik

The custom middleware can be referenced from other HTTP routes as wanted.

5 Likes

Thank you @davidep. I will try it.

I did this also with several .yml files, e.g. in mariadb1.yml to restrict access to /phpmyadmin.
It works. Thanks for that.
Is this surviving updates ?

:grimacing: I don’t know: tests are welcome!

It’s probably a little bit tricky. Somehow I must be on the wrong path.
Can someone give me the individual commands?

Screenshot 2024-04-27 174737

Login as traefik1:

runagent -m traefik1

Create file _custom_middlewares.ym using nano:

nano configs/_custom_middlewares.yml

Edit the file _api_server.yml using nano:

nano configs/_api_server.yml

3 Likes

Now it works. Thank you very much.

1 Like

Hi @davidep

Apparently the last core update overwrites the _api_server.yml file again. You simply have to reset the entry - MwTrustedNetworks. Unattractive, but doable.

Have fun…

Uwe

2 Likes