Hello,
I’ve got a question regarding access to a /cluster-admin of my newly upgraded NS8 server.
FQDN of my leader node is set to “myserver-ns8” on “mydomain.cz”. I can access https://myserver-ns8.mydomain.cz/cluster-admin without problems.
Further I have installed mail and SOGo applications (both working without problems). Mail server hostname is “myserver.mydomain.cz”, SOGo FQDN is “sogo.mydomain.cz”.
I have set “myserver.mydomain.cz” and “sogo.mydomain.cz” as a public DNS record.
“myserver-ns8.mydomain.cz” is set just in local intranet DNS, because my intention was to block access to cluster administration from outside (on NS7 I used to block respective ports on router firewall).
Neverthless, I am able to access cluster adminstration also from this (publicly available) link https://myserver.mydomain.cz/cluster-admin.
Is it possible to restrict it, so the cluster admin interface is available just from https://myserver-ns8.mydomain.cz/cluster-admin (and / or https://ip-address/cluster-admin) ?
Thank you
Here are instructions to restrict the cluster-admin access:
Is this only restricting the acces from HTTP ?
From HTTPS would also be nice. Is this possible ?
Thank you @mrmarkuz, i will look at that.
If I understand well, it is an expected behaviour and it is not possible to restrict it from the webgui (I have tried to redirect https://myserver.mydomain.cz/cluster-admin to something else in HTTP routes, but without success).
AFAIK, After passing Traefik, it’s ALL only http. Traefik is the daemon adding or removing the ssl encryption…
My 2 cents
Andy
On the contrary, the cluster-admin route redirects to HTTPS.
I’m implementing a backend action. It is the first step to have an UI in the future.
True, but you are free to decide if the backend/upstream connection is encrypted or not, from the UI of manual route definition.
I need to update the manual page at Proxy — NS8 documentation
That was already true in NS7…
My 2 cents
Andy
Maybe i doing something wrong but it is still accessible from the outside.
Can i be that the domain is a reverse-proxy by Nethsecurity ?
Yes, I’m addressing this scenario too.