LDAP port (security considerations)
-
wrote on Jul 28, 2023, 4:53 PM last edited by
In a way I understood from the hints I've got, when I expose my LDAP to the outside, you are not spawning a separate process, but instead re-route 3004 port to the web service - ldapjs - https://github.com/ldapjs/node-ldapjs/
I'm wondering if I can limit access to the port 3004 to a specific IP address? Or, even better, I would love to see limited access to some specific URLs - so that I could block access to 'ldapjs' only to my internal servers, as well as access to /well-known/' or other web services.
It feels like a relatively easy thing to do at nginx side, unless I'm wrong or missing something?
-
I guess you refer to https://docs.cloudron.io/user-management/#directory-server which is by default set up to only allow connections from the specified IPs/IP-ranges
-
wrote on Jul 28, 2023, 5:15 PM last edited by
Yes, I'm. It seems I forgot that I made that setting with my own hand.
Is it possible to set this up for other services and web apps, including dashboard?
-
Yes, I'm. It seems I forgot that I made that setting with my own hand.
Is it possible to set this up for other services and web apps, including dashboard?
@potemkin_ai said in LDAP port (security considerations):
Is it possible to set this up for other services and web apps, including dashboard?
It's easier to discuss if you can give us concrete use cases (of what you are trying to achieve). Generally, anything is possible
but the way we go about Cloudron development itself is to be a solution and not a generic server management panel where a sysadmin can achieve all sorts of setups.
-
Couldn't find a good link but we do batteries included - https://en.wikipedia.org/wiki/Batteries_Included .
-
@potemkin_ai said in LDAP port (security considerations):
Is it possible to set this up for other services and web apps, including dashboard?
It's easier to discuss if you can give us concrete use cases (of what you are trying to achieve). Generally, anything is possible
but the way we go about Cloudron development itself is to be a solution and not a generic server management panel where a sysadmin can achieve all sorts of setups.
wrote on Jul 29, 2023, 7:19 AM last edited by@girish thanks! I would like to be able to close some web apps to be only accessible from specific IP set.
For example, Jitsi to be used by those who logged in via VPN.
Does it make sense?
-
@girish thanks! I would like to be able to close some web apps to be only accessible from specific IP set.
For example, Jitsi to be used by those who logged in via VPN.
Does it make sense?
@potemkin_ai Ah ok. The VPN use case requires a lot more platform integration and cannot be achieved just using some iptable rules. That feature is planned for 7.6 - https://forum.cloudron.io/topic/9180/what-s-coming-in-7-5/2 .
-
@potemkin_ai Ah ok. The VPN use case requires a lot more platform integration and cannot be achieved just using some iptable rules. That feature is planned for 7.6 - https://forum.cloudron.io/topic/9180/what-s-coming-in-7-5/2 .
wrote on Jul 30, 2023, 5:43 PM last edited by@girish agh, I meant some security gate that closes Cloudron from the outside and all of the traffic is coming from there - so I do know the IP address of all of the clients, as it's my security gate, and I want to make sure none from the outside world would reach specific app.
Does it makes sense?
Speaking about Cloudron build-in VPN integration - do you already have some plans how Wireguard integration & managent would looks like?
-
@girish agh, I meant some security gate that closes Cloudron from the outside and all of the traffic is coming from there - so I do know the IP address of all of the clients, as it's my security gate, and I want to make sure none from the outside world would reach specific app.
Does it makes sense?
Speaking about Cloudron build-in VPN integration - do you already have some plans how Wireguard integration & managent would looks like?
@potemkin_ai IP block/allow on app level including Geo-block/allow might be a solution? I use Cloudflare for some (sub)domains for this but love to have it inside Cloudron!
-
@potemkin_ai IP block/allow on app level including Geo-block/allow might be a solution? I use Cloudflare for some (sub)domains for this but love to have it inside Cloudron!
wrote on Jul 30, 2023, 8:00 PM last edited by@imc67 geo-block feels like a more feature-rich solution, that might be of help, but not exactly my cup of tea.
I would guess, that Cloudflare doesn't prevent anyone from accessing your web service directly (should they figure out the IP address, for example, via e-mail you've sent)?