if your proposal works for the use case, well and good.
Note that his VPS in its entirety is hosted on the internet in the cloud.
Chances of blocking access entirely are high in that scenario
if it will disable access to that specific service, then by all means sure thing.
Just something to consider.
what I am doing on my NS7 somewhere in the internet, I disable some services that are well known by the bad guys to be opened from public IP and I connect to my server with a vpn service, to get a local IP. Like this I can use my services that I do not want to be opened to bad guys
What we miss here is a VPN running on the NS8
Like I stated it was the good old time mates
Things are different but we/could imagine to run a vpn server on the NS8 too
This has been my most requested Feature and Service since day 1. I hope it comes soon, or value for it is seen.
HEY, we can also have the good new days you know…
This is definitely required, and is not even a Joke.
Wireguard ? it is already available. Still https/443 and everything behind it is open for everyone.
We need clients to connect on window or linux
would be very interesting.
Just a client that we we add the master node join key and everything just works…
Wireguard seems cross platform
By playing around and with the help of this
i did the following:
So far everything is working. No errors in cluster-admin on the Ns8.
Here 2 examples for a nginx file.
cluster-admin.conf with web socket support:
server {
listen [::]:1443 ssl;
listen 1443 ssl;
server_name your_FQDN; #e.g. ns8.your.domain
error_log /var/log/nginx/wp.error.log;
access_log /var/log/nginx/wp.access.log;
log_not_found off;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
location / {
allow xxx.xxx.xxx.xxx;
deny all;
proxy_pass https://127.0.0.1:443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
and for phpmyadmin.conf:
server {
listen [::]:1443 ssl;
listen 1443 ssl;
server_name your_FQDN; #e.g. phpmyadmin.your.domain
error_log /var/log/nginx/wp.error.log;
access_log /var/log/nginx/wp.access.log;
log_not_found off;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
location / {
allow xxx.xxx.xxx.xxx;
deny all;
proxy_pass http://127.0.0.1:20014;
include proxy_params;
}
}
With this config i can restrict access to certain web services because of the allow and deny.
nginx Let’s Encrypt should be possible to, with certbot.
I’m testing further but so far it seems to work.
Yes, i’m using it very often. Win, Mac and Linux clients are available.
It is easy to setup and very fast.
Hi @ all,
this is exactly the reason why I currently only use NS8 as a file server with Samba AD and continue to run NS 7 for the web services. Even if its end is foreseeable…
I don’t want the cluster admin page and other services to be “bare assed” on the Internet and be attacked by script kids.
Regards
Uwe
We do not need nginx or apache to only allow a range of network. Traefik can do it alone but I bet experimentation must be done manually
Relevant to wireguard I think yes it could defintively works but the pki will need a lot of love. Without it you need to manually create and distribute your keys manually among the clients et and the server. Not really handy
Config of a module route is done in /home/traefik1/.config/state/configs/module_id.yml
Could be nice to cp and paste one to make experimentation
I’m willing to learn, but i have to admit that i do not understand what to do 
What i can do is providing a VPS for testing if needed and of course share what i have. I do own a domain so it would be possible to play around with DNS etc.
But as already stated it should be possible to block web services. Even wg-easy is providing a web interface wich is accessible from the world.
i checked this
and added to mariadb1.yml and wordpress1.yml the following after http to see if i get blocked:
middlewares:
test-ipallowlist:
ipAllowList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"
Unfortunately with no success.
I’m not sure if i have to restart the container, anyway a podman restart --all did not have any affect.
Ok i think i got this.
I successfully added “ipAllowlist” to several .yml in /home/traefik1/.config/state/configs
Please do not do this on a production system !!!
As example i will post here my
http:
middlewares: <-- Add
pma-ipallowlist: <-- Add
ipAllowList: <-- Add
sourceRange: <-- Add
- "127.0.0.1/32" <-- Add, i'm not sure if this is needed
- "xxx.xxx.xxx.xxx" <-- Add, here you can add ip's to allow access
services:
mariadb1:
loadBalancer:
servers:
- url: http://127.0.0.1:20014
routers:
mariadb1-http:
rule: Path(`/phpmyadmin`) || PathPrefix(`/phpmyadmin/`)
middlewares: <-- Add
- pma-ipallowlist <-- Add
priority: '1'
entryPoints: http,https
service: mariadb1
mariadb1-https:
rule: Path(`/pma`) || PathPrefix(`/pma/`)
middlewares: <-- Add
- pma-ipallowlist <-- Add
priority: '1'
entryPoints: http,https
service: mariadb1
tls: {}
i added everything with “<-- Add” to the existing config.
Restart of container was not necessary.
http:
middlewares: <-- Add
cluster-ipallowlist: <-- Add
ipAllowList: <-- Add
sourceRange: <-- Add
- "127.0.0.1/32" <-- Add, i'm not sure if this is needed
- "xxx.xxx.xxx.xxx" <-- Add, here you can add ip's to allow access
ApiServer-stripprefix:
stripPrefix:
forceSlash: 'false'
prefixes:
- /cluster-admin
ApiServerMw2:
redirectRegex:
regex: ^.*/cluster-admin$
replacement: /cluster-admin/
routers:
ApiServer-http:
entrypoints:
- http
middlewares:
- http2https-redirectscheme
rule: Path(`/cluster-admin`) || PathPrefix(`/cluster-admin/`)
service: ApiServer
priority: '100000'
ApiServer-https:
entrypoints:
- https
middlewares:
- cluster-ipallowlist <-- Add
- ApiServerMw2
- ApiServer-stripprefix
priority: '100000'
rule: Path(`/cluster-admin`) || PathPrefix(`/cluster-admin/`)
service: ApiServer
tls: {}
services:
ApiServer:
loadBalancer:
servers:
- url: http://127.0.0.1:9311
i added everything with “<-- Add” to the existing config.
Restart of container was not necessary.
As you can see the “<-- Add” are on different places.
It looks like the is no “one fit’s all” solution here, but i might be wrong.
The openldap1-amld.yml also has to modified different.
Directly after the last “middlewares:” add the following:
uadmin-ipallowlist:
ipAllowList:
sourceRange:
- "127.0.0.1/32"
- "xxx.xxx.xxx.xxx"
Then look for “middlewares:” in “openldap1-amld-http:” and “openldap1-amld-https:”.
Add “- uadmin-ipallowlist” as first entry.
It seems that “ipAllowList” can be applied for all .yml files where you want to restrict access.
Can someone confirm that this is the right way to do it ?
Another thing is that i don’t believe this will survive update’s, am i right ?
Lastly, in my opinion, it would be nice to have something like this in the cluster-admin gui.
Even when i run ns8 in LAN only, it should be possible to restrict access to certain web services, again this is my opinion.
replace /home/traefik1/.config/state/configs/_api_server.yml with this (of course testing) and what is not a private IP is out
http:
middlewares:
ApiServer-stripprefix:
stripPrefix:
forceSlash: 'false'
prefixes:
- /cluster-admin
ApiServerMw2:
redirectRegex:
regex: ^.*/cluster-admin$
replacement: /cluster-admin/
IPWhitelist:
ipWhiteList:
sourceRange:
- 10.0.0.0/8 # Add your private IP ranges here
- 172.16.0.0/12
- 192.168.0.0/16
routers:
ApiServer-http:
entrypoints:
- http
middlewares:
- http2https-redirectscheme
- IPWhitelist
rule: Path(`/cluster-admin`) || PathPrefix(`/cluster-admin/`)
service: ApiServer
priority: '100000'
ApiServer-https:
entrypoints:
- https
middlewares:
- ApiServerMw2
- ApiServer-stripprefix
- IPWhitelist
priority: '100000'
rule: Path(`/cluster-admin`) || PathPrefix(`/cluster-admin/`)
service: ApiServer
tls: {}
services:
ApiServer:
loadBalancer:
servers:
- url: http://127.0.0.1:9311
this file is creating during the create-module action so it should not be generated again except module restoration or module clone
It works 
I did not change anything.
Access from external (no vpn) to cluster-admin is “Forbidden”.
As soon as i start my wireguard tunnel on the client (local ip: 10.8.0.2/24) i can access cluster-admin.
One question, shouldn’t it be ipAllowList ?
Yes it should
@stephdl how “simple” is it to include this in the web interface.
Could an Implementation within clusterAdmin Ui, be configured to allow selecting the installed App and applying the given config, even if its manually entering the pod name
a bit more complicated because it is a static file, no logic to rewrite it on the fly
the logic to be a file generated by an action, it is a matter to add this condition to set-route
however the way for the few weeks/months is no more new code but a massive bug hunt
lets speak of it later