NS8 on VPS - restrict access to webservices

Support
1

Maybe this is a little bit out of the scope from the original question.
I’m playing around with Ns8, installed it on a VPS (Hetzner), installation and config went very well.
In this scenario i have on public ip.
With port 80 and 443 open every webservice is accessible from everywhere (e.g. cluster-admin, phpmyadmin etc).
Is it is save to leave it like this ?

I know Ns8 has no full blown firewall. Still there is firewalld.

If phpmyadmin (or cluster-admin) would run on a different port, a simple firewall-cmd could do the trick and restrict access to this webservices without having a different box in front of Ns8.
What i found out so far is that in the file /home/traefik1/.config/state/traefik.yaml you can change port 80 and 443 to e.g. 8080 and 4443 (please do not do this on a production system).
Then run a firewall-cmd to allow e.g. 4443 and all webservices are availible with e.g. https://ip_or_FQDN:4443/phpmyadmin.
Of course this means ALL webservices like wordpress etc.
Also this will break the possibility to get Let’s encrypt cert’s add an additional node etc.
On the other hand, with port 80 and 443 being free, i could install e.g. nginx proxy manager on the OS (even as podman) and use it as a reverse proxy.
In this case, at least Let’s encrypt would work again and access could be restricted (at least i know how to do it with nginx proxy manager).

Maybe i’m missing something and it can be done with treafik.
I searched the forum, read the doc’s but could not find anything to restrict access to certain webservices.

Still the question remains: Is it save to leave /cluster-admin, /phpmyadmin, /users-admin open to the world if you install Ns8 on a VPS ?

2 Likes
2

Hi and welcome!

Indeed and it should be possible to close of the ports. Here is an example of some snippets where we change the default ssh port 1022 to 2222. Also see the documentation and simply ask like you are doing now -)

See this thread

I am sure others will jump in.

Again, welcome and enjoy!

3

HEllo @mz05er and welcome to the Nethserver community

@stephdl Making use of the condition parameter that you used for the new Mattermost APp on NEthserver 8, that allow you to disable or enable a specific container based on a given Env variable,

Couldnt we implement an ENABLE_PUBLIC = 0

On some of the sensitive Containers of an App in Nethserver and Implement a UI toggle Switch for this functionality?

Wouldn’t this work in this regards for things like PHPMyAdmin, PHPgAdmin, etc?

What do you think @davidep on this a core implementation for the purpose of enabling and disabling specific Web Access for Apps. Wouldn’t this end this question and present the solution?

4

that was the good old time mate, we restricted the use of a web application via apache

allow from xxx.xxx.xxx.xxx.

we need to implement Traefik HTTP Middlewares IPWhiteList - Traefik

1 Like
5

Thank you all for the welcome and quick response.
I’m impressed.

Yes, this is what i mean. Unfortunately IPWhiteList is deprecated as per Traefik doc’s.
The doc’s refer to IPAllowList (sorry i don’t want to be petty).

6

I wasnt talking in the case of apache in this case.

I was talking about not starting the container all together if the parameter value for the variable is set to false.

therefore, no need for the traefik ipwhitlist.

however, that would also be usefule for allowing public and localhost as well.

7
  1. Not starting container
  2. Starting container no restrictions (default)
  3. Starting container WITH restriction
    a) NO user access at all (WAN and LAN)
    b) LAN access, WAN no access
    c) WAN access, LAN no access
  4. Change mode and restart running container
8

sorry @oneitonitram but the topic of this thread is to restrict some services to be reachable from the internet

9

if your proposal works for the use case, well and good.

Note that his VPS in its entirety is hosted on the internet in the cloud.
Chances of blocking access entirely are high in that scenario

if it will disable access to that specific service, then by all means sure thing.

Just something to consider.

10

what I am doing on my NS7 somewhere in the internet, I disable some services that are well known by the bad guys to be opened from public IP and I connect to my server with a vpn service, to get a local IP. Like this I can use my services that I do not want to be opened to bad guys

What we miss here is a VPN running on the NS8

Like I stated it was the good old time mates

Things are different but we/could imagine to run a vpn server on the NS8 too

1 Like
11

This has been my most requested Feature and Service since day 1. I hope it comes soon, or value for it is seen.

HEY, we can also have the good new days you know…

This is definitely required, and is not even a Joke.

2 Likes
12

Wireguard ? it is already available. Still https/443 and everything behind it is open for everyone.

13

We need clients to connect on window or linux

1 Like
14

would be very interesting.

Just a client that we we add the master node join key and everything just works…

15

Wireguard seems cross platform

16

By playing around and with the help of this

i did the following:

  1. Installed nginx on my Rocky Linux. No docker or podman. Just dnf install ngnix.
  2. Configured ngnix to listen to port 8080 and 1443, self-signed cert’s, vhost and proxy pass.
  3. Run the command firewall-cmd --add-forward-port=port=443:proto=tcp:toport=1443
    and firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080

So far everything is working. No errors in cluster-admin on the Ns8.

Here 2 examples for a nginx file.

cluster-admin.conf with web socket support:


server {
    listen [::]:1443 ssl;
    listen 1443 ssl;
    server_name your_FQDN;  #e.g. ns8.your.domain
    error_log /var/log/nginx/wp.error.log;
    access_log /var/log/nginx/wp.access.log;
    log_not_found off;
    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
    location / {
        allow xxx.xxx.xxx.xxx;
        deny all;
        proxy_pass https://127.0.0.1:443;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

and for phpmyadmin.conf:


server {
    listen [::]:1443 ssl;
    listen 1443 ssl;
    server_name your_FQDN; #e.g. phpmyadmin.your.domain
    error_log /var/log/nginx/wp.error.log;
    access_log /var/log/nginx/wp.access.log;
    log_not_found off;
    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
    location / {
        allow xxx.xxx.xxx.xxx;
        deny all;
        proxy_pass http://127.0.0.1:20014;
        include proxy_params;
    }
}

With this config i can restrict access to certain web services because of the allow and deny.

nginx Let’s Encrypt should be possible to, with certbot.
I’m testing further but so far it seems to work.

1 Like
17

Yes, i’m using it very often. Win, Mac and Linux clients are available.
It is easy to setup and very fast.

18

Hi @ all,

this is exactly the reason why I currently only use NS8 as a file server with Samba AD and continue to run NS 7 for the web services. Even if its end is foreseeable…
I don’t want the cluster admin page and other services to be “bare assed” on the Internet and be attacked by script kids.

Regards

Uwe

19

We do not need nginx or apache to only allow a range of network. Traefik can do it alone but I bet experimentation must be done manually

Relevant to wireguard I think yes it could defintively works but the pki will need a lot of love. Without it you need to manually create and distribute your keys manually among the clients et and the server. Not really handy

20

Config of a module route is done in /home/traefik1/.config/state/configs/module_id.yml

Could be nice to cp and paste one to make experimentation