NS8 cluster-admin access

daz · February 17, 2025, 8:52am

Hello,
I’ve got a question regarding access to a /cluster-admin of my newly upgraded NS8 server.
FQDN of my leader node is set to “myserver-ns8” on “mydomain.cz”. I can access https://myserver-ns8.mydomain.cz/cluster-admin without problems.
Further I have installed mail and SOGo applications (both working without problems). Mail server hostname is “myserver.mydomain.cz”, SOGo FQDN is “sogo.mydomain.cz”.
I have set “myserver.mydomain.cz” and “sogo.mydomain.cz” as a public DNS record.
“myserver-ns8.mydomain.cz” is set just in local intranet DNS, because my intention was to block access to cluster administration from outside (on NS7 I used to block respective ports on router firewall).
Neverthless, I am able to access cluster adminstration also from this (publicly available) link https://myserver.mydomain.cz/cluster-admin.
Is it possible to restrict it, so the cluster admin interface is available just from https://myserver-ns8.mydomain.cz/cluster-admin (and / or https://ip-address/cluster-admin) ?
Thank you

mrmarkuz · February 17, 2025, 9:06am

Here are instructions to restrict the cluster-admin access:

MadPatrick · February 17, 2025, 9:48am

Is this only restricting the acces from HTTP ?
From HTTPS would also be nice. Is this possible ?

daz · February 17, 2025, 10:00am

Thank you @mrmarkuz, i will look at that.
If I understand well, it is an expected behaviour and it is not possible to restrict it from the webgui (I have tried to redirect https://myserver.mydomain.cz/cluster-admin to something else in HTTP routes, but without success).

Andy_Wismer · February 17, 2025, 10:00am

AFAIK, After passing Traefik, it’s ALL only http. Traefik is the daemon adding or removing the ssl encryption…

My 2 cents
Andy

davidep · February 18, 2025, 7:46am

On the contrary, the cluster-admin route redirects to HTTPS.

I’m implementing a backend action. It is the first step to have an UI in the future.

True, but you are free to decide if the backend/upstream connection is encrypted or not, from the UI of manual route definition.

I need to update the manual page at Proxy — NS8 documentation

Andy_Wismer · February 18, 2025, 7:48am

That was already true in NS7…

My 2 cents
Andy

MadPatrick · February 18, 2025, 8:38am

Maybe i doing something wrong but it is still accessible from the outside.
Can i be that the domain is a reverse-proxy by Nethsecurity ?

davidep · February 18, 2025, 8:47am

Yes, I’m addressing this scenario too.