Maybe this is a little bit out of the scope from the original question.
I’m playing around with Ns8, installed it on a VPS (Hetzner), installation and config went very well.
In this scenario i have on public ip.
With port 80 and 443 open every webservice is accessible from everywhere (e.g. cluster-admin, phpmyadmin etc).
Is it is save to leave it like this ?
I know Ns8 has no full blown firewall. Still there is firewalld.
If phpmyadmin (or cluster-admin) would run on a different port, a simple firewall-cmd could do the trick and restrict access to this webservices without having a different box in front of Ns8.
What i found out so far is that in the file /home/traefik1/.config/state/traefik.yaml you can change port 80 and 443 to e.g. 8080 and 4443 (please do not do this on a production system).
Then run a firewall-cmd to allow e.g. 4443 and all webservices are availible with e.g. https://ip_or_FQDN:4443/phpmyadmin.
Of course this means ALL webservices like wordpress etc.
Also this will break the possibility to get Let’s encrypt cert’s add an additional node etc.
On the other hand, with port 80 and 443 being free, i could install e.g. nginx proxy manager on the OS (even as podman) and use it as a reverse proxy.
In this case, at least Let’s encrypt would work again and access could be restricted (at least i know how to do it with nginx proxy manager).
Maybe i’m missing something and it can be done with treafik.
I searched the forum, read the doc’s but could not find anything to restrict access to certain webservices.
Still the question remains: Is it save to leave /cluster-admin, /phpmyadmin, /users-admin open to the world if you install Ns8 on a VPS ?
Indeed and it should be possible to close of the ports. Here is an example of some snippets where we change the default ssh port 1022 to 2222. Also see the documentation and simply ask like you are doing now -)
HEllo @mz05er and welcome to the Nethserver community
@stephdl Making use of the condition parameter that you used for the new Mattermost APp on NEthserver 8, that allow you to disable or enable a specific container based on a given Env variable,
Couldnt we implement an ENABLE_PUBLIC = 0
On some of the sensitive Containers of an App in Nethserver and Implement a UI toggle Switch for this functionality?
Wouldn’t this work in this regards for things like PHPMyAdmin, PHPgAdmin, etc?
What do you think @davidep on this a core implementation for the purpose of enabling and disabling specific Web Access for Apps. Wouldn’t this end this question and present the solution?
Thank you all for the welcome and quick response.
I’m impressed.
Yes, this is what i mean. Unfortunately IPWhiteList is deprecated as per Traefik doc’s.
The doc’s refer to IPAllowList (sorry i don’t want to be petty).
what I am doing on my NS7 somewhere in the internet, I disable some services that are well known by the bad guys to be opened from public IP and I connect to my server with a vpn service, to get a local IP. Like this I can use my services that I do not want to be opened to bad guys
What we miss here is a VPN running on the NS8
Like I stated it was the good old time mates
Things are different but we/could imagine to run a vpn server on the NS8 too
this is exactly the reason why I currently only use NS8 as a file server with Samba AD and continue to run NS 7 for the web services. Even if its end is foreseeable…
I don’t want the cluster admin page and other services to be “bare assed” on the Internet and be attacked by script kids.
We do not need nginx or apache to only allow a range of network. Traefik can do it alone but I bet experimentation must be done manually
Relevant to wireguard I think yes it could defintively works but the pki will need a lot of love. Without it you need to manually create and distribute your keys manually among the clients et and the server. Not really handy